On Mon, Mar 13, 2017 at 5:04 AM, Jean-Philippe Ouellet <[email protected]> wrote: > On Mon, Mar 13, 2017 at 2:29 AM, InfusingPrivacy > <[email protected]> wrote: >> 1. Is there a guide on how we can harden the netvm? How can I view what >> default services, files, ports/remote access are enabled on the default >> netvm and how make my hardening customizations to the netvm permanent? I >> mainly want to make sure the netvm has no remote filesystem access from the >> internet (i.e. ssh, ftp, etc); the only 'access' should be from dom0. > > You should do your firewalling, etc. in sys-firewall rather than > sys-net. This is because sys-net has a higher chance of being > compromised via vulnerable wireless card drivers or malicious wireless > card firmware, and you would not want that compromised sys-net to be > able to turn off your firewall! ;) This is the reason sys-firewall > exists as a separate domain behind it.
Likewise, when you are running "high-risk" (complex) protocol parsers (like tcpdump, wireshark, etc.), it is preferable to do so in sys-net (or a cloned sys-net based on a template with such tools installed) rather than sys-firewall, because it is desirable to protect sys-firewall from such attack vectors. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_CkqkAjmj7gpiKHyH3tJUsC1_0%3DQta7OOqsf%2BOnHC5k%3DA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
