# xen for security and isolation?

## groovin

i was reading about chrooting apache over the weekend and there was a brief mention in a book that chrooting apache would soon be replaced by virutalization technologies as virtual servers are the preferred security option.

with all the recent buzz about xen, i got interested in this and started wondering if anyone else had considered using xen for web servers and process isolation? for instance, has anyone used xen in some sort of LAMP server setup? ive only used xen briefly back in v2, but IIRC, a xen domain is basically a real server only its running on top of a hypervisor.... so if the xen domain is rooted by a flaw in some service, the attacker still gets control of a server... 

so my questions are:

-how can you lock down a xen domain? or rather, what mechanisms does xen have that make it preffered to a chroot jail? i would think that perhaps it's because chroot jails can be escaped more easily than a xen domain? 

-if i use xen to isolate processes on a public facing server, say i put apache in one xen domain, and then mysql in another, does xen provide some sort of private virtual networking between domains so that i can have some services like NFS running between the domains in a private network not facing the public?

ive explored the docs on xens site, but didnt quite find the answers i was looking for. hopefully someone can add some thoughts.

thanks!

----------

## Simba

You can use private ip addres in xen too, so you have private connection between xenU 

Simba

----------

## groovin

thanks simba, i guess ill take a closer look at the docs. i probaly missed that part.

----------

## allucid

I am also interested to hear from someone who has tried both chrooting services and using xen for isolation.

----------

## e-tigger

I'm currently using the Linux Vserver packages for my virtual server configuration.

VServer is a very glorified chroot solution.  Unlike ULM it uses a shared kernel.  

You have to give vserver instances permissions to do kernel level activity,(tcpdump, mknod, set time, raw ethernet)

You can limit resources to the vserver (CPU time/ memory/ Disk )

Each vserver has it's own IP address(es), but not it's own routing table, iptables chains

Each vserver is it's own linux load, sans the kernel.

A vserver can only access the host and other vservers through normal server to server communications.

The host has full access to all vservers

vserver-sources and vserver-tools are in portage;  Works with ntpl and amd64

I've not used Xen (yet)   I really wanted AMD64 support which may now be avialable (as of Dec 05).

I have a pair of dual opetron server with arc SATA RAID cards.

I have bee frustrated by the shares routing tables as I wanted the vservers to be more like independant networked servers, using different lan cards to different security zones, ...  Gave all that up.  Use one network card now, with some careful scripting using fwbuilder I maintailn firewall rules for the individual vservers (iptables rules can move with the vservers for host to host failover.)

I suppose I'll eventually move to xen, because I'd like to have more routing control in my vservers.

Hope this helps.

----------

## Simba

I used vserver only few times in the past, and then I moved to xen with the same reason,

with xen I have more flexibility in the networking. vserver is not really independent or isolated

from the host. ofcourse xen is not as fast as vserver, but I can leave with it. 

and anyway, I tested xen with nbench , and the integer and floating point performance

under xen are almost exacly the same like in a native linux kernel. only in the disk IO

I can see some performance difference.

Simba.

----------

