Xen FAQ Security

From Xen

How do I restrict/bind the network card to domU witha firewall?

If I install minimal linux for XEN in dom0 and a periphery firewall in domU and other applications in other instances of domU, is it possible to restrict/bind the network card to domU having periphery firewall and from there forward packets for dom0 or for other domUs?

Is this possible? If so, is it secure? Or does dom0 always have direct access to Network Card and needs a separate firewall? And packets will always route from dom0 to all domUs ?

What are the issues involved?

Answer: The approach I've used at home is to hide a network card from Dom0 (see pic-back.hide) and pass it through to a DomU which then sees it as a native interface. I then run a firewall in the DomU and the outside traffic does NOT go through Dom0. The route for packets is then :

real i/f -> DomU (firewall) -> VIF -> int bridge [ Dom0 | VIF -> DomU ]

From security perspective, this is the same as having an L2 switch (when dom0's bridges have no IP address) or L3 switch (when dom0's bridges have an IP address)

Is Disk Encryption with Truecrypt or Loop-aes better?

I want to use a Disk Encryption and the conplete physikal Disk in a DomU. I prefer Truecrypt or Loop-aes. i will going to test loop-aes cause it should have the better performance. But, did anybody here using truecrypt or loop-aes ? What is the better one, in the fact of speed ?

Answer: dm-crypt/luks is one option, and performs about the same or better than loop-aes. Also it's less problematic because it doesn't use loop devices