On Mon, Mar 13, 2017 at 2:29 AM, InfusingPrivacy <[email protected]> wrote: > Hi, > > I've decided to gives Qubes a try. Apologies if I sound confused; there are > many options and settings in Qubes and as a first-time user, I want to make > sure I set Qubes up correctly. I have the following concern about the default > netvm. > > If the netvm is untrusted by default, I am making the assumption that the vm > is, "out-of-the-box" easier to compromise than the other vms. So I was > wondering what is the best practice for long term maintenance of the default > netvm, immediately after a fresh install of Qubes? > > 1. Attempt to harden netvm before connecting to the internet (disable remote > access, setup iptable rules, etc), then make a backup?
There is no remote-access stuff enabled by default (no ssh, etc.), and the default iptables INPUT and FORWARD chains end in DROP (no incoming traffic is allowed by default). > 2. Do not harden; only backup netvm before connecting to internet. If I > suspect that netvm is compromised in the future, simply stop netvm & restore > from backup. You may. You can also delete the VM and re-create it (set NetVM of sys-firewall to none, delete sys-net, re-create based on whatever template, assign network pci devs to it, restore netvm of sys-firewall, and might need to restore ClockVM to new sys-net in global prefs too (not sure)). > 3. Some other best practice I did not think of. Yes, just don't worry too much about it ;) It is considered untrusted precisely because you do not need to trust it very much as long as you follow good practice with the VMs behind it (generally assuming your traffic may be actively man-in-the-middled regardless of where you are - by your ISP, the kid in the coffee shop, or the attacker in sys-net). > (If choice #1 or 2 is best, I have a followup question) > > Q1. Based on a post on 'theinvisiblethings' blog, netVMs are not the same as > AppVMs. Since the backup/restore instructions on the qubes site > (qvm-backup/qvm-backup-restore) is for AppVMs, how can I backup netvms for > the purpose of restoring if/when they are compromised? A legitimate confusion. Perhaps our docs could be more clear. Backups work the same for any type of VM (AppVM, ProxyVM, NetVM, etc.). The differences are mostly in what settings they are allowed to have, what services are run by default, and what directory they are stored in on disk. > (If choice #1 is best) > > 1. Is there a guide on how we can harden the netvm? How can I view what > default services, files, ports/remote access are enabled on the default netvm > and how make my hardening customizations to the netvm permanent? I mainly > want to make sure the netvm has no remote filesystem access from the internet > (i.e. ssh, ftp, etc); the only 'access' should be from dom0. You should do your firewalling, etc. in sys-firewall rather than sys-net. This is because sys-net has a higher chance of being compromised via vulnerable wireless card drivers or malicious wireless card firmware, and you would not want that compromised sys-net to be able to turn off your firewall! ;) This is the reason sys-firewall exists as a separate domain behind it. > Apologies if some of the questions are based on incomplete/incorrect > information; I've tried reading all the Qubes documentation that could be > related to my question such as: > > https://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html > https://www.qubes-os.org/doc/firewall/ > https://www.qubes-os.org/doc/backup-restore/ > https://www.qubes-os.org/getting-started/ > > Thanks, > New Qubes OS user Glad to have you with us! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_B7NSTo8xnHA-1aPDE3c_erFJksvutUnKds%3DRD04hS13A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
