Whats the best way to secure a 1ru server running XenServer

Posted on 2014-09-07
Last Modified: 2016-11-23

We are about to collocate a 1ru application server that's currently running XenServer. Ideally we would have the XenServer sitting behind some sort of UTM device however as colocation space is very limited and very expensive we were wondering what the best way would be to secure the server so that we can access and manager XenServer and the remote server administration system (dell idrac) preferably without exposing both to the internet.

We were thinking of using some form of software firewall installed as a virtual server on XenServer. However, this create a catch 22 situation, whereby if there is something wrong with XenServer or the software firewall then we wont be able to reach idrac to remotely administer the server.

We would be grateful for any ideas.

Question by:PlumInternet
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 64

Expert Comment

ID: 40308476
You should take on to reference to the CC EAL - See
Common Criteria Documents for XenServer 6.0.2
Common Criteria Documents for XenServer 5.6
Check out the zip Admin guide and configuration for CC evaluation - this will be handy in securing XS. On example extract using IPTABLES
1. Make sure the firewall is turned on, remove the default rules, and then set up the following default
# service iptables start
# iptables -F
# iptables -X
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT

2. On the management network, allow new incoming connections on port 443 (HTTPS) only:
# iptables -A INPUT -i xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
# iptables -A INPUT -i xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i xenbr0 -j DROP

3. On the management network, allow new outgoing connections to port 443 (HTTPS), ports 7279/27000
(licensing) and port 123 (NTP) only:
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 7279 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 27000 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p udp --dport 123 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -j DROP

4. On the storage network, do not allow any new incoming connections:
# iptables -A INPUT -i xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i xenbr1 -j DROP
5. On the storage network, allow new outgoing connections on ports related to NFS (see the section called
“Firewall on the storage network” in Common Criteria Administrator’s Guide for Citrix XenServer ® 5.6, Platinum Edition for more details).:
# iptables -A OUTPUT -o xenbr1 -p udp --dport 111 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 111 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p udp --dport 2049 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 2049 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p udp --dport 26345:26348 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 26345:26348 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -j DROP

6. Finally, save the new firewall configuration and make sure it is turned on after reboot:
# service iptables save
# chkconfig iptables on
Specifically is to achieve as many for the below - secure by default on itself is bare minimal
1. Securing the XenServer itself.
- There is another sample reference from the hardening guide, specifically not forgetting to cover the Xenserver hypervisor setting to configure PAM to limit users with access to critical services such as XAPI (or “XenAPI” is the management tool stack used in XenServer, it is the Xenserver "heart" that manages everything – all the resources in your XenServer environment)

(archive maybe still be handy)
XenServer 5.0 Update 3 User Security Guide -

2. Securing iDRAC.
-Accessing them from a dedicated management network (out band band) e.g. avoid direct internet, use some ACLs in your router to prevent unauthorized IPs from accessing it. If you can, put it on a private IP block so this is less of an issue. Dell recommends the iDRAC port be on a physically dedicated LAN

- Where possible,  disabling as much communication between the system and the DRAC as possible will reduce your attack surface. One thing to be aware of is that local access to the DRAC requires administrative access to the OS running on the server but does not require authentication beyond that. If you're running Unix and run racadm or omconfig (or one of the IPMI tools) as root, you will have administrative access to the DRAC.
(my fear is if you have managed to get on locally, given unlimited time, the question to ask and likely possible is "can you brute force other devices on the management network". Imagine insider or attack take on that route)
LVL 64

Expert Comment

ID: 40308481
not forgetting trust but verify e.g. using auditing to baseline the server posture in ref to also some best practice (below is one from Nessus)

Author Comment

ID: 40311330
Hi Btan,

Thanks for your comments. I don't think I have articulated the problem correctly.

We would like to collocate a single server with XenServer installed. How could we configure/setup the server to enable us to access idrac and XenServer Manager without exposing both the internet.

LVL 64

Accepted Solution

btan earned 500 total points
ID: 40311397
Actually regardless the colocate, fundamental lockdown and hardening applies as I shared to have idrac for local management and not remote management via thru internet. Likwise no remote management access (on the Dom0 and xapi, the management toolstack) through internet as well. These are to reduce exposure unless it is authoirsed and approved to go thru VPN (secure or equivalent "out of band" means) to tunnel into the intranet and via management segment to access and manage the Xenserver.

Since XenServer is bare metal installation, iDRAC will also be accessed into that same Host once it is enabled and iDRAC card is connected to network. the use of "xe" need some form of Role Based (e.g. pool admin, pool operator, vm pwr admin, vm operator and read only) Access Control for least privileges determined by the task to perform. You can work off  with RBAC using the xe CLI. Do also have RBAC audit log record any operation taken by a logged-in user.

Note that the user subject is authenticated via the Active Directory server to verify which containing groups the subject may also belong to.

 - pls also see the configuration guide stated in the either the below which I shared the link in last post (note the pdf is within the zip download) on Common Criteria Documents for XenServer 5.6

Note that each XenServer host has one or more networks, which are virtual Ethernet switches. Networks without an association to a PIF (represents a physical network interface) are considered internal, and can be used to provide connectivity only between VMs on a given XenServer host, with no connection to the outside world. Networks with a PIF association are considered external, and provide a bridge between VIFs (represents a virtual interface) and the PIF connected to the network, enabling connectivity to resources available through the PIF's NIC.

Both XenCenter and the xe CLI allow configuration of networking options, control over which NIC is used for management operations, and creation of advanced networking features such as virtual local area networks (VLANs) and NIC bonds. And use VLAN with host management interfaces.

Featured Post

Prevent Ransomware with Total Security Suite

With recent ransomware attacks topping the headlines, it might seem like there'e no hope in the battle against these advanced threats. Learn more about how WatchGuard's Total Security Suite can effectively prevent ransomware attacks including Petya 2.0 and WannaCry!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question