The security project - The XenServer gateway

So, I have spare hardware just laying around, not doing anything, collecting dust. And I thought it was about time I did something fun with it. So here's what I decided to do.

I will run a XenServer as my gateway.

Xenserver specs: HP ML350 - Dual Xeon e5450 (quad core, 3ghz, 12mb l2, "harpertown" arch), 12gb ddr3 RDIMM, lga 775, dual 80gb seagate ES SAS drives, raid 1. **edit - DDR2 667

Now, this might sound strange, but I think this could be a cool experiment, and I will update this forum topic as things progress.


Here's the plan:

Dom0 - CentOS, and it obviously will be the XenServer itself, 3 nics - "wan", "lan" (also management, for connecting via ssh and xencenter. Yes, xen-tools and other xen utils will be used), and one internal, "dmz"

Dom1 - PfSense, 3 network interfaces, 2 physical (wan and lan), 1 virtual (DMZ), 1 small HDD for transparent proxies via squid some snort, things like that.

Dom2 - Windows 7 Pro, 1 network interface, the internal DMZ

Dom3 - Windows 8.1 Pro, again, internal DMZ

Dom4 - Windows 10, internal DMZ

Dom5 - (some random linux distro), internal DMZ

Dom6 - (some random linux distro), internal DMZ

Dom7 - Hackintosh maybe? (if I can get it freaking working, haven't been successful putting it on xen yet)

All Hard Drives will be on a 1tb iSCSI volume, handed out by my freenas, which will be on the "management" internal lan.


The idea is to see how long it takes, with no user interaction, for these dmz machines to become infected, maybe added to some sort of botnet. Will something happen? I have no idea. But they will be entirely visible to the internet, so we'll see what happens (maniacal laughter)

I've always enjoyed the concept of seeing if you could collect every virus in existence with a few unprotected machines facing WAN.

My only concern for hypervisors sitting at the gateway is the hypervisors security itself, how do you plan to protect Xen?

PS. I am pretty sure the ML350 uses DDR2 RAM.

+1 A: Best comic ever. B: More importantly (for OP), do a  quick Google search on best practices for virtualizing Pfsense. While it is not often advised, it CAN be done securely(ish).

+1 for that comic :D 

Looking at it again, your're right, it has ddr2 667 in it. Sad day. oh, well.

I have no idea how I should end up making that hypervisor more secure than it already is at stock. Any suggestions are welcome.