Oracle® VM Server for SPARC 3.2 Security Guide

Exit Print View

Updated: March 2015
 
 

Control Domain

The control domain, which often has the roles of an I/O domain and a service domain, must be kept safe as it can modify the configuration of the hypervisor, which controls all attached hardware resources.

Threat: Control Domain Denial-of-Service

The shutdown of the control domain can result in a denial of service of the configuration tools. Because the control domain is required only for configuration changes, the guest domains are unaffected if they access their network and disk resources through other service domains.

Evaluation: Control Domain Denial-of-Service

Attacking the control domain over the network is equivalent to attacking any other properly protected Oracle Solaris OS instance. The damage of a shutdown or similar denial of service of the control domain is relatively low. However, guest domains are affected if the control domain also acts as a service domain for these guest domains.

Countermeasure: Securing Console Access

Avoid configuring administrative network access to the execution environment's domains. This scenario requires that you use the ILOM console service to the control domain to perform all administration tasks. Console access to all other domains is still possible by using the vntsd service running on the control domain.

Consider this option carefully. Although this option reduces the risk of being attacked over the administrative network, only one administrator can access the console at a time.

For information about securely configuring vntsd, see How to Enable the Virtual Network Terminal Server Daemon in Oracle VM Server for SPARC 3.2 Administration Guide .