On Thu, Feb 27, 2020 at 07:40:40PM -0800, Claudio Chinicz wrote: > Being a non technical user of Qubes, I'd like to ask the community about the > benefits of using an additional VM between an AppVM and Sys-Net. > > I do not configure Sys-Firewall and therefore it should be "all" open, right? > > If I were to configure it for a specific purpose, like for a MailVM, I'd have > to use 'clones' of Sys-Firewall, one for each specific purpose, correct? > > So, I got confused. Is there a benefit for using Sys-Firewall without > configuring it?
When you configure firewall rules for e.g. email VM it is the
sys-firewall that enforces them. This point is critical, since otherwise
if your email VM get's compromised the malware could simply disable or
workaround the firewall.
You want your sys-firewall to be separate from sys-net for the same
reason: compartmentalization.
First of all, your sys-net VM needs to have virt_mode hvm (hardware VM)
because you assing the Wifi and Ethernet controllers to it. The sole
purpose of this VM is to provide connectivity, so even if it get's
compromised through e.g. a WiFi controller firmware issue ... there is
nothing in it of any interest to the attacker.
Ideally, if your traffic is encrypted (https, VPN, tor etc) the attacker
can't even spy on much other then which IP's you are talking too.
"Normal" VMs / qubes have virt_mode pvh which offers better security
(this is where my knowledge gets a little shacky). It is the default
type in Qubes R4.0. But a PVH can't have PCI devices assigned to it.
To recap:
sys-net: hardware VM with attached network controller
sees only traffic, no other information besides your
WiFi passwords is stored here
sys-firewall: PVH, enforces firewall rules for connected VMs
contains no information other then firewall rules
get network from sys-net
e.g. email VM: PVH, get network from sys-firewall and has
therefore no way around the rules enforced
by it.
The firewall rules are properties of your VMs and not available to the
VM itself.
I hope others will correct me if I got anything wrong.
/Sven
--
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20200229000004.GA1167%40app-email-private.
signature.asc
Description: PGP signature
