On 03/13/2017 08:19 PM, InfusingPrivacy wrote:
On Monday, March 13, 2017 at 5:07:42 AM UTC-4, Jean-Philippe Ouellet wrote:
On Mon, Mar 13, 2017 at 5:04 AM, Jean-Philippe Ouellet <[email protected]> wrote:
On Mon, Mar 13, 2017 at 2:29 AM, InfusingPrivacy <[email protected]> 
wrote:
1. Is there a guide on how we can harden the netvm? How can I view what default 
services, files, ports/remote access are enabled on the default netvm and how 
make my hardening customizations to the netvm permanent? I mainly want to make 
sure the netvm has no remote filesystem access from the internet (i.e. ssh, 
ftp, etc); the only 'access' should be from dom0.

You should do your firewalling, etc. in sys-firewall rather than
sys-net. This is because sys-net has a higher chance of being
compromised via vulnerable wireless card drivers or malicious wireless
card firmware, and you would not want that compromised sys-net to be
able to turn off your firewall! ;) This is the reason sys-firewall
exists as a separate domain behind it.

Likewise, when you are running "high-risk" (complex) protocol parsers
(like tcpdump, wireshark, etc.), it is preferable to do so in sys-net
(or a cloned sys-net based on a template with such tools installed)
rather than sys-firewall, because it is desirable to protect
sys-firewall from such attack vectors.

Ok; thanks for all of the information! It was very helpful!


For clarification, the main reason netVMs are considered untrusted is because of the NICs themselves. When a NIC is compromised, it can freely take control of any part of the VM using DMA attacks. So there is no point in hardening the system configuration in a netVM.

Its possible that firmware updates could harden the NIC itself against attacks, so of course keeping your netVM template updated can help.

--

Chris Laprise, [email protected]
https://twitter.com/ttaskett

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e16d82ec-4025-6167-3dad-4f589c9c574f%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to