On Mon, Mar 13, 2017 at 5:04 AM, Jean-Philippe Ouellet <[email protected]> wrote:
> On Mon, Mar 13, 2017 at 2:29 AM, InfusingPrivacy 
> <[email protected]> wrote:
>> 1. Is there a guide on how we can harden the netvm? How can I view what 
>> default services, files, ports/remote access are enabled on the default 
>> netvm and how make my hardening customizations to the netvm permanent? I 
>> mainly want to make sure the netvm has no remote filesystem access from the 
>> internet (i.e. ssh, ftp, etc); the only 'access' should be from dom0.
>
> You should do your firewalling, etc. in sys-firewall rather than
> sys-net. This is because sys-net has a higher chance of being
> compromised via vulnerable wireless card drivers or malicious wireless
> card firmware, and you would not want that compromised sys-net to be
> able to turn off your firewall! ;) This is the reason sys-firewall
> exists as a separate domain behind it.

Likewise, when you are running "high-risk" (complex) protocol parsers
(like tcpdump, wireshark, etc.), it is preferable to do so in sys-net
(or a cloned sys-net based on a template with such tools installed)
rather than sys-firewall, because it is desirable to protect
sys-firewall from such attack vectors.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_CkqkAjmj7gpiKHyH3tJUsC1_0%3DQta7OOqsf%2BOnHC5k%3DA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to