Whats the best way to secure a 1ru server running XenServer


We are about to collocate a 1ru application server that's currently running XenServer. Ideally we would have the XenServer sitting behind some sort of UTM device however as colocation space is very limited and very expensive we were wondering what the best way would be to secure the server so that we can access and manager XenServer and the remote server administration system (dell idrac) preferably without exposing both to the internet.

We were thinking of using some form of software firewall installed as a virtual server on XenServer. However, this create a catch 22 situation, whereby if there is something wrong with XenServer or the software firewall then we wont be able to reach idrac to remotely administer the server.

We would be grateful for any ideas.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You should take on to reference to the CC EAL - See
Common Criteria Documents for XenServer 6.0.2
Common Criteria Documents for XenServer 5.6
Check out the zip Admin guide and configuration for CC evaluation - this will be handy in securing XS. On example extract using IPTABLES
1. Make sure the firewall is turned on, remove the default rules, and then set up the following default
# service iptables start
# iptables -F
# iptables -X
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT

2. On the management network, allow new incoming connections on port 443 (HTTPS) only:
# iptables -A INPUT -i xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
# iptables -A INPUT -i xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i xenbr0 -j DROP

3. On the management network, allow new outgoing connections to port 443 (HTTPS), ports 7279/27000
(licensing) and port 123 (NTP) only:
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 7279 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 27000 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p udp --dport 123 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -j DROP

4. On the storage network, do not allow any new incoming connections:
# iptables -A INPUT -i xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i xenbr1 -j DROP
5. On the storage network, allow new outgoing connections on ports related to NFS (see the section called
“Firewall on the storage network” in Common Criteria Administrator’s Guide for Citrix XenServer ® 5.6, Platinum Edition for more details).:
# iptables -A OUTPUT -o xenbr1 -p udp --dport 111 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 111 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p udp --dport 2049 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 2049 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p udp --dport 26345:26348 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 26345:26348 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -j DROP

6. Finally, save the new firewall configuration and make sure it is turned on after reboot:
# service iptables save
# chkconfig iptables on
Specifically is to achieve as many for the below - secure by default on itself is bare minimal
1. Securing the XenServer itself.
- There is another sample reference from the hardening guide, specifically not forgetting to cover the Xenserver hypervisor setting to configure PAM to limit users with access to critical services such as XAPI (or “XenAPI” is the management tool stack used in XenServer, it is the Xenserver "heart" that manages everything – all the resources in your XenServer environment)

(archive maybe still be handy)
XenServer 5.0 Update 3 User Security Guide - http://support.citrix.com/article/CTX120716.

2. Securing iDRAC.
-Accessing them from a dedicated management network (out band band) e.g. avoid direct internet, use some ACLs in your router to prevent unauthorized IPs from accessing it. If you can, put it on a private IP block so this is less of an issue. Dell recommends the iDRAC port be on a physically dedicated LAN

- Where possible,  disabling as much communication between the system and the DRAC as possible will reduce your attack surface. One thing to be aware of is that local access to the DRAC requires administrative access to the OS running on the server but does not require authentication beyond that. If you're running Unix and run racadm or omconfig (or one of the IPMI tools) as root, you will have administrative access to the DRAC.
(my fear is if you have managed to get on locally, given unlimited time, the question to ask and likely possible is "can you brute force other devices on the management network". Imagine insider or attack take on that route)
btanExec ConsultantCommented:
not forgetting trust but verify e.g. using auditing to baseline the server posture in ref to also some best practice (below is one from Nessus)
PlumInternetAuthor Commented:
Hi Btan,

Thanks for your comments. I don't think I have articulated the problem correctly.

We would like to collocate a single server with XenServer installed. How could we configure/setup the server to enable us to access idrac and XenServer Manager without exposing both the internet.

btanExec ConsultantCommented:
Actually regardless the colocate, fundamental lockdown and hardening applies as I shared to have idrac for local management and not remote management via thru internet. Likwise no remote management access (on the Dom0 and xapi, the management toolstack) through internet as well. These are to reduce exposure unless it is authoirsed and approved to go thru VPN (secure or equivalent "out of band" means) to tunnel into the intranet and via management segment to access and manage the Xenserver.

Since XenServer is bare metal installation, iDRAC will also be accessed into that same Host once it is enabled and iDRAC card is connected to network. the use of "xe" need some form of Role Based (e.g. pool admin, pool operator, vm pwr admin, vm operator and read only) Access Control for least privileges determined by the task to perform. You can work off  with RBAC using the xe CLI. Do also have RBAC audit log record any operation taken by a logged-in user.

Note that the user subject is authenticated via the Active Directory server to verify which containing groups the subject may also belong to.

 - pls also see the configuration guide stated in the either the below which I shared the link in last post (note the pdf is within the zip download) on Common Criteria Documents for XenServer 5.6

Note that each XenServer host has one or more networks, which are virtual Ethernet switches. Networks without an association to a PIF (represents a physical network interface) are considered internal, and can be used to provide connectivity only between VMs on a given XenServer host, with no connection to the outside world. Networks with a PIF association are considered external, and provide a bridge between VIFs (represents a virtual interface) and the PIF connected to the network, enabling connectivity to resources available through the PIF's NIC.

Both XenCenter and the xe CLI allow configuration of networking options, control over which NIC is used for management operations, and creation of advanced networking features such as virtual local area networks (VLANs) and NIC bonds. And use VLAN with host management interfaces.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.