An untrusted internal network has the characteristics of being loosely maintained, unmonitored, readily compromised from the outside or from ongoing and uncorrected malware infested workstations on the inside.
In this model, the dom0 admin control and VMs have been partitioned into separate VLANs where traffic flow is controlled by a 3 zone router/firewall. The firewall policy is to allow the admin network to make outbound connections to anywhere, but blocks inbound connections from the untrusted internal network. Firewall policies to the VM network would depend on the application but should only expose service ports to the internal network that are needed. A signature driven Intrusion Detection System is an option on the VM network to monitor for traffic patterns that indicate an attack is underway.
This model views any traffic from the internal network as potentially hostile. Additional hardening of this network can be done by implementing hardware or iptables based firewalls and policies on the admin and dom0 hosts that block inbound traffic. The dom0 firewall rules can also be enhanced to reject peer dom0 traffic on all ports except OCFS2 (7777), Oracle VM Agent (8899), and the Xen administration ports (8002 and 8003).
Guidelines for the untrusted internal network model:
Implement all the guidelines for trusted internal networks.
Disable ssh root logins. Admins should log in as themselves (using their global uid) with user privileges. Set up sudo to allow specific admin commands per user or root, if needed. See Section 3.2, “Administrator Privileges in Oracle VM” for details.
Add failed connection logging to the existing iptables firewall just prior to the last REJECT line:
-A RH-Firewall-1-INPUT -m limit --limit 15/minute -j LOG --log-prefix "FW Drop:" -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Set up a remote syslog server to track all user logins and firewall connection failures.
Disable the VNC connections on each Oracle VM Server dom0. Port-forward VNC connections via ssh and vncviewer rather than Oracle VM Manager:
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5950 -j ACCEPT ssh -L 5900:vmserverhost:5900 vmserverhost
Disable port 8888 and IPP ports on Oracle VM Manager:
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT #-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT #-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8888 -j ACCEPT
NoteThis will leave secure ports 22, 7002 and 10000 for admin command line access and Oracle VM Manager connections.
Define a trusted admin network or host and limit Oracle VM Manager and Oracle VM Server ssh connections to that network or host. To implement this, comment out the existing ssh rule in the default
/etc/sysconfig/iptablesconfiguration file. Replace it with the information applicable to your trusted network or single admin host; for example the 192.168.0.0/24 network or the host with IP address 192.168.0.67:#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT -- or -- -A RH-Firewall-1-INPUT -p tcp -s 192.168.0.67 --dport 22 -j ACCEPT
NoteConnections that fail will fall through and be logged by the logging rule provided in the third bullet. All the rules in /etc/sysconfig/iptables can also be changed to restrict access to selected networks or hosts.