On 26 Nov 2010, at 10:50 , Orvar Korvar wrote:

> petrben,
> Yes that is my question too: "is running in a local zone safer?". That is why 
> I created this thread.
> 
> I was thinking something like this: If someone hacks my WinXP, then he must 
> bypass VBox. Then he is inside the local zone. Then he must get root access 
> to the local zone. Then he must break the zone to get into the global zone. 
> When he is in the global zone, he must gain root access. Then he is in my 
> computer.
> 
> To prevent this, I shut down the NIC to the global zone. Then there is no 
> communication between the global zone and local zones. So how can a hacker 
> inside a local zone, gain access to the global zone? The global zone does not 
> respond to any communication, because it's NIC is down.
> 
> 
There is probably no need to shutdown the NIC in the glabal zone. As long as 
you configure the zone to use exclusive IP and make sure the zone is on a 
separate subnet
from the global zone and there is no routing between the subnets you should be 
fine.
You could also use the crossbow features to create an internal network and do 
all kinds of firewalling between your VBox zone and the rest of the world.

        Paul

> 
> But you say something like: if a hacker takes control over VBox, then he also 
> gets inside the kernelspace and then he bypasses zones and everything and is 
> inside the global zone? He does not have to go through NICs and zones and 
> what not?

There is probably no need to shutdown the NIC in the glabal zone. As long as 
you configure the zone to use exclusive IP and make sure the zone is on a 
separate subnet
from the global zone and there is no routing between the subnets you should be 
fine.
You could also use the crossbow features to create an internal network and do 
all kinds of firewalling between your VBox zone and the rest of the world.

        Paul


_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to