On Sunday, September 25, 2016 at 7:34:28 AM UTC-4, johny...@sigaint.org wrote: > > Simple question: Why are Ethernet and WiFi in sys-net..? > > > > Is it > > > > (A) Just for easy access to the same network for all App VMs..? > > > > (B) Because this is isolating Ethernet and WiFi from the rest of the > > system, to stop DMA attacks..? > > Primarily (B). Any DMA attack or other network hardware compromise is > confined to the net VM, and not your more critical work VM's (or dom0). > > > It's not clear to me whether the VT-D protection is occurring because you > > are putting these devices in sys-net. > > > > Or whether the VT-D is implemented regardless of which VM the > > Wifi/Ethernet are in. > > I'm not quite clear what you're getting at here. The network device(s) > could live in any VM, and thus be isolated from the rest of the system. > > But by Qubes convention, the devices are put in sys-net, which is > sys-firewall's NetVM, which in turn is typically the NetVM for other > AppVM's. > > > I ask this because I want to run some programs in sys-net, and wonder > > whether a DMA attack could screw up these programs. > > It absolutely could. I'd generally recommend against running anything in > sys-net unless its very specifically needed, raw net-related, or low-risk. > Things like wireshark, iptraf are useful to have in sys-net, for example. > > Any program running in sys-net doesn't benefit from the firewall rules > protection at all, either. > > Just as with dom0, the fewer programs running (and thus the smaller attack > surface) in sys-net (and sys-firewall), the better. > > Which is why I'd like to see unnecessary things like pulseaudio, exim, > (and possibly even the X server) not included in sys-net by default. I > think there's a Qubes ticket to that effect. > > Digressing a bit, but here's an interesting, leaner replacement for > sys-firewall: > > http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/ > > What's the nature of the program(s) you want to run in sys-net? Is there > any reason they couldn't be run in another AppVM instead? > > JJ
anything listening to traffic is a security risk. wireshark is a known security risk in itself. But that is whats cool about qubes, the sys-net is considered untrusted anyways. so actually perfect for running something like wireshark. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ac07e942-7735-4c5a-a73b-81b74776ff90%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.