On 09/25/2016 02:34 AM, neilhard...@gmail.com wrote:
Let's say I have a Qubes machine connected to a 2nd laptop by Ethernet.
The Qubes machine is sharing its Internet connection.
Let's say the Qubes machine gets hit with a DMA attack.
The 2nd laptop is not a Qubes machine, and therefore doesn't have VT-D for DMA
protection.
Can the DMA attack be "carried forward" to the 2nd laptop... or is it killed
for good by the Qubes machine..?
Thanks
The former is true: A Qubes netvm (e.g. sys-net) is like having a
separate router device. If its compromised it could launch (non-DMA)
attacks against other devices on the net... AND against your appvms.
But proxyvms can help protect your other vms in various ways: A
sys-firewall can filter packets with hardly any risk of being attacked
itself. A VPN gateway can reject anything that doesn't belong to the
encrypted packet stream. Etc...
Of course, non-networked VMs are the safest of all.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/96df4645-8bc9-cbbf-ee29-a9951591b3c0%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.