Securing Xen in a Distributed Environment


Xen is one of the newest virtualization platforms available that can securely run multiple virtual guest servers, each running its own operating system, on a single physical system with close to native performance.  It is available on many Linux platforms as an open source application and directly from XenSource Inc. 

With the advent of multiple core processors and Xen, it is possible to virtualize an entire data center and fit 50 or more independent servers into one Xen server.  There are a number of third-party tools or known as management consoles have been developed to facilitate the common tasks of administering a Xen host, such as configuring, starting, monitoring and stopping of Xen guests. Examples include Enomalism, Xen Tools, Google’s Ganeti, MLN, HyperVM, FluidVM, ConVirt (formerly XenMan) and Red Hat’s Virtual Machine Manager, virt-manager.  Unfortunately, all of them fall short in one area or another in a distributed, secure and automated environment.

I will not get into how each of these management programs work but with few exceptions, they require complex installations into the Domain-0 or privileged domain and require incoming connections to it, or require a local desktop tool.  While this is convenient, it is not completely secure and can potentially lead to vulnerabilities.  If Domain-0 is ever compromised, all other guest domains running in it are vulnerable as well.  As a basic for security, the following should be required:

  1. Run the smallest number of necessary services on Domain-0.

  2. Use a firewall to restrict the traffic Domain-0.

  3. Do not allow users to access Domain-0.

  4. Do not allow any incoming connections to Domain-0.

So, How do you manage a Xen server remotely if you cannot directly access Domain-0 you say?  The answer is almost too simple, Domain-0 will use outgoing connections to a remote server.  This not only allows the server to be more secure, it can potentially reduce memory and load requirements of the management domain.

Currently, we have working scripts that can provision and manage guest domains as well as send statistics to a remote server.  These scripts are only just beginning but are currently working in a production environment.  Each are released using GPL licensing in hopes that others will gain some use and provide feedback so we can make managing xen servers easier and more secure.