On 03/07/18 15:05, sevas wrote:
Cool. That gave me some ideas. Thanks for sharing your setup.
So, another infosec question Im trying to figure out...
Templates Vs AppVMs.
I find that I separate my Templates based on two criteria. What I want
to limit access to, and what I do or do not trust....
I want to limit sys-net to the absolute bare minimum of tools and
functionality, because I want any adversary to have a really really hard
time trying to leverage my sys-net to get to the next hop on the
network. Your sys-net is the public attack surface which is available
24x7 for attack on your host system. If somehow an adversary were to get
a foothold on sys-net then they could set up shop and start attacking
Xen, sys-firewall, or your network neighbors. You reall do not want a
root-kit flashed into your NIC, trust me.
I want the tools for those tasks to be as limited as possible, and if I
could remove everything right down to the kernel and network drivers, I
would do that. Unfortunately we do need a shell environment to make
networking to work, so not providing any tools or applications that
would make their life easier is the goal to work towards.
For this reason I give sys-net its own stripped down software template.
I want existence there to be painful if not impossible. I would like to
even remove sudo and other convenience tools, and make that environment
even more primitive, making it that much harder. For admin privs one
could use dom0 and "qvm-run -u root sys-net ..." to manage maintenance
tasks, but I have not had the time to test if this would even work in
the long run. If I could have a single binary monolithic executable
image that would work for me.
The other concern is what I do I trust, in that I trust the
fedora/redhat distribution much more than I trust the fedora "fusion"
project. If I had a vm where I needed some mp3 player from fusion, I
would not want my Banking VM to be exposed to share libraries running
from this other distribution. Keep the risky software out of AppVM's
that you need to trust, while its Ok to provide the risky software to
VM's that are only there for your pleasure and amusement. Draw a big red
line down the middle, and never let the two meet.
So my Templates are divided as:
"fedora-26-net" Stripped to the bone
"fedora-26" general use VM's
"fedora-26-trusted" Banking, Purchasing, etc
"fedora-26-fusion" Web browsing, youtube, multimedia, social media, etc
For each AppVM I will personalize the dom0 menu to place the apps I
intend each VM to use. Keep the menus clean, concise, and for the
purpose. If an extra app exists in that VMs file system but does not get
used, that's Ok by me. What I don't want is rogue software that I don't
trust running in the wrong VM, hence their template'd separation based
on what I do or do not trust.
Steve
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/67ac5e4b-88ee-827d-a9da-8adb3c6ffd51%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.
