Whats the best way to secure a 1ru server running XenServer

Posted on 2014-09-07
Last Modified: 2016-11-23

We are about to collocate a 1ru application server that's currently running XenServer. Ideally we would have the XenServer sitting behind some sort of UTM device however as colocation space is very limited and very expensive we were wondering what the best way would be to secure the server so that we can access and manager XenServer and the remote server administration system (dell idrac) preferably without exposing both to the internet.

We were thinking of using some form of software firewall installed as a virtual server on XenServer. However, this create a catch 22 situation, whereby if there is something wrong with XenServer or the software firewall then we wont be able to reach idrac to remotely administer the server.

We would be grateful for any ideas.

Question by:PlumInternet
  • 3
LVL 62

Expert Comment

ID: 40308476
You should take on to reference to the CC EAL - See
Common Criteria Documents for XenServer 6.0.2
Common Criteria Documents for XenServer 5.6
Check out the zip Admin guide and configuration for CC evaluation - this will be handy in securing XS. On example extract using IPTABLES
1. Make sure the firewall is turned on, remove the default rules, and then set up the following default
# service iptables start
# iptables -F
# iptables -X
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT

2. On the management network, allow new incoming connections on port 443 (HTTPS) only:
# iptables -A INPUT -i xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
# iptables -A INPUT -i xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i xenbr0 -j DROP

3. On the management network, allow new outgoing connections to port 443 (HTTPS), ports 7279/27000
(licensing) and port 123 (NTP) only:
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 7279 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 27000 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p udp --dport 123 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -j DROP

4. On the storage network, do not allow any new incoming connections:
# iptables -A INPUT -i xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i xenbr1 -j DROP
5. On the storage network, allow new outgoing connections on ports related to NFS (see the section called
“Firewall on the storage network” in Common Criteria Administrator’s Guide for Citrix XenServer ® 5.6, Platinum Edition for more details).:
# iptables -A OUTPUT -o xenbr1 -p udp --dport 111 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 111 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p udp --dport 2049 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 2049 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p udp --dport 26345:26348 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 26345:26348 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -j DROP

6. Finally, save the new firewall configuration and make sure it is turned on after reboot:
# service iptables save
# chkconfig iptables on
Specifically is to achieve as many for the below - secure by default on itself is bare minimal
1. Securing the XenServer itself.
- There is another sample reference from the hardening guide, specifically not forgetting to cover the Xenserver hypervisor setting to configure PAM to limit users with access to critical services such as XAPI (or “XenAPI” is the management tool stack used in XenServer, it is the Xenserver "heart" that manages everything – all the resources in your XenServer environment)

(archive maybe still be handy)
XenServer 5.0 Update 3 User Security Guide -

2. Securing iDRAC.
-Accessing them from a dedicated management network (out band band) e.g. avoid direct internet, use some ACLs in your router to prevent unauthorized IPs from accessing it. If you can, put it on a private IP block so this is less of an issue. Dell recommends the iDRAC port be on a physically dedicated LAN

- Where possible,  disabling as much communication between the system and the DRAC as possible will reduce your attack surface. One thing to be aware of is that local access to the DRAC requires administrative access to the OS running on the server but does not require authentication beyond that. If you're running Unix and run racadm or omconfig (or one of the IPMI tools) as root, you will have administrative access to the DRAC.
(my fear is if you have managed to get on locally, given unlimited time, the question to ask and likely possible is "can you brute force other devices on the management network". Imagine insider or attack take on that route)
LVL 62

Expert Comment

ID: 40308481
not forgetting trust but verify e.g. using auditing to baseline the server posture in ref to also some best practice (below is one from Nessus)

Author Comment

ID: 40311330
Hi Btan,

Thanks for your comments. I don't think I have articulated the problem correctly.

We would like to collocate a single server with XenServer installed. How could we configure/setup the server to enable us to access idrac and XenServer Manager without exposing both the internet.

LVL 62

Accepted Solution

btan earned 500 total points
ID: 40311397
Actually regardless the colocate, fundamental lockdown and hardening applies as I shared to have idrac for local management and not remote management via thru internet. Likwise no remote management access (on the Dom0 and xapi, the management toolstack) through internet as well. These are to reduce exposure unless it is authoirsed and approved to go thru VPN (secure or equivalent "out of band" means) to tunnel into the intranet and via management segment to access and manage the Xenserver.

Since XenServer is bare metal installation, iDRAC will also be accessed into that same Host once it is enabled and iDRAC card is connected to network. the use of "xe" need some form of Role Based (e.g. pool admin, pool operator, vm pwr admin, vm operator and read only) Access Control for least privileges determined by the task to perform. You can work off  with RBAC using the xe CLI. Do also have RBAC audit log record any operation taken by a logged-in user.

Note that the user subject is authenticated via the Active Directory server to verify which containing groups the subject may also belong to.

 - pls also see the configuration guide stated in the either the below which I shared the link in last post (note the pdf is within the zip download) on Common Criteria Documents for XenServer 5.6

Note that each XenServer host has one or more networks, which are virtual Ethernet switches. Networks without an association to a PIF (represents a physical network interface) are considered internal, and can be used to provide connectivity only between VMs on a given XenServer host, with no connection to the outside world. Networks with a PIF association are considered external, and provide a bridge between VIFs (represents a virtual interface) and the PIF connected to the network, enabling connectivity to resources available through the PIF's NIC.

Both XenCenter and the xe CLI allow configuration of networking options, control over which NIC is used for management operations, and creation of advanced networking features such as virtual local area networks (VLANs) and NIC bonds. And use VLAN with host management interfaces.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
jbod controller for dell r720 and freenas 3 46
High performance NAS comparable to 8Gbps SAN ? 3 58
RDP Sonicwall 8 66
Disk Configuration - Dell R620 6 60
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now