AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20080604233351.7b9e1649@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:onstor-exch02.onstor.net
NSV:
SSH:
R:<glyn.bowden@onstor.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	BB375AF679D4A34E9CA8DFA650E2B04E083CD2AF@onstor-exch02.onstor.net
X-Sylpheed-End-Special-Headers: 1
Date: Wed, 4 Jun 2008 23:34:46 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Glyn Bowden" <glyn.bowden@onstor.com>
Subject: Re: Routing between vServer, or on BSD
Message-ID: <20080604233446.17dc2957@ripper.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E083CD2AF@onstor-exch02.onstor.net>
References: <BB375AF679D4A34E9CA8DFA650E2B04E083CD2AF@onstor-exch02.onstor.net>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Glyn,

It's more than possible, it's a constant.  However, I don't think such
security issues should necessarily be discussed over wide-distribution
emails lists.  Our default and difficult-to-change root password is
featured on a number of cracker web sites as it is.

They can take the necessary steps to secure their systems and they
should be well protected.  Change the root and admin passwords.
Disable logins to ssh from vsvr IP addresses.  Make sure the SSC
ports are not in the DMZ.  That should be sufficient to protect them.

Cheers,

a

On Wed, 4 Jun 2008 23:10:12 -0700 "Glyn Bowden"
<glyn.bowden@onstor.com> wrote:

> Again I don't think its possible to route from bsd to the vsvrs. This
> can be verified with ps -aux | grep routed. Also you could log in as
> root and check for the routed binary.
>=20
> I think that if an attacker has access to BSD then there are far more
> effective ways to attack the system than routing packets.
>=20
> Glyn
>=20
> --------------------------
> Sent using BlackBerry
>=20
>=20
> -----Original Message-----
> From: Steffen Thuemmel
> To: Glyn Bowden; dl-se; dl-cstech
> Sent: Wed Jun 04 23:04:04 2008
> Subject: RE: Routing between vServer, or on BSD
>=20
> Thanks Glyn. That answers the vServer part. But what about BSD. If an
> intruder would get access to the BSD level, would he be able to
> manipulate BSD and use it as a router ? As it is still possible to
> get to the nfxsh via a vServers IP address, there are concerns about
> security. The customer wants to have at least one vServer in a DMZ.
>=20
> Regards,=20
> =C2=A0
> st.
> =C2=A0
> Steffen Thuemmel=20
> =C2=A0
> ONStor GmbH
> =C2=A0
> telf.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 +49 6102 884 84-0
> mobil. =C2=A0=C2=A0=C2=A0 +49 173 673 3434
> mail.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 steffen.thuemmel@onstor.com
>=20
> -----Original Message-----
> From: Glyn Bowden=20
> Sent: Donnerstag, 5. Juni 2008 01:01
> To: Steffen Thuemmel; dl-se; dl-cstech
> Subject: Re: Routing between vServer, or on BSD
>=20
> Iirc there are seperate route tables and arp tables (ie network
> stacks) within each vserver and they cannot see vservers outside of
> their own. This means there is no internal routing and each maintains
> its own address space.=20
>=20
> Does this answer the question?
>=20
> Glyn
>=20
> --------------------------
> Sent using BlackBerry
>=20
>=20
> -----Original Message-----
> From: Steffen Thuemmel
> To: dl-se; dl-cstech
> Sent: Wed Jun 04 14:54:48 2008
> Subject: Routing between vServer, or on BSD
>=20
> IHAC who is concerned about security within our design. Mostly he
> wants to know how we prevent the possibility of routing between
> vServers or  even more the routing on our BSD (I hope we do not have
> a routing deamon). I remember this question has been raised before,
> but I did not save the answer=E2=80=A6
>=20
> =20
>=20
> Mit freundlichen Gr=C3=BC=C3=9Fen
>=20
> Best regards
>=20
> =20
>=20
> st.
>=20
> =20
>=20
> Steffen Thuemmel=20
>=20
> =20
>=20
> telf.      +49 6102 884 84-0
>=20
> mobil.     +49 173 673 3434
>=20
> mail.       steffen.thuemmel@onstor.com
> <mailto:steffen.thuemmel@onstor.com>=20
>=20
> =20
>=20
> ONStor GmbH
>=20
> Schleussner Str. 42
>=20
> D-63263 Neu-Isenburg
>=20
> Germany
>=20
> =20
>=20
> HR-B: 42402 AG Offenbach am Main;=20
>=20
> USt.-ID: DE 249 472 495
>=20
> Gesch=C3=A4ftsf=C3=BChrer: Andy Pinkard
>=20
> =20
>=20
