On 12/05/2012 06:04, John wrote:
All hosts, with the exception of the firewall (also virtual) have their interfaces as Internal Virtualbox interfaces. There is no connectivity for these interfaces between the host and the guests.Hello, Giles. I have a couple questions about what you said.On 5/9/2012 4:08 AM, Giles Coochey wrote:On 09/05/2012 09:52, Ingo Strüwing wrote:Hi, Am 09.05.2012 09:29, schrieb John:Hello. Is the environment of my guest OS secluded from the host OS in such a way that, if I get an intrusion or malware problem from the internet on my guest, my host OS would be totally secured from it? For example, if I put a website up on the guest and it gets compromised, can my host be affected? In a worse case scenario, could I just rebuild the guest, or restore from a clean backup?IMHO there is no "normal" way to get control over the host from a guest. But in theory there might perhaps be bugs in the VirtualBox software that could be exploited.All my virtual hosts run with Internal Interfaces as far as networking is concerned, so there is no special network access that the guest has to the host system. There is a single interface (the external firewall interface) which is set to bridged on to the external interface of the host system.If I understand you correctly, you said that the guest OS is able to see only the external internet zone and that it has no connection, restricted or otherwise, configured (or configurable by an exploit) allowing an interface with your host. In other words, for all practical purposes, it is not part of your LAN. Is that correct? Also, how is the bridged aspect of it helpful in this regard and how did you accomplish that?
The firewall WAN interface is bridged to LAN interface of the host.For all intents and purposes there are a number of systems attached to the switchport that my host system is on. The host system is one of those systems, but there is no accessibility to guest systems via a network stack on the host system itself. Yes the host system appears to be a system on the same network subnet as the firewall WAN interface, but all other systems are behind that from a layer-3 point of view (I run a DMZ, an Application layer and a DB layer behind these, all virtual).
So, for example, host is 192.168.0.2/24, guest firewall WAN interface is 192.168.0.3/24 with a gateway of 192.168.0.1/24. Behind the firewall I can have any topology say 192.168.1.1/24, and hosts from 192.168.1.2-254 all on a Virtualbox Internal interface.
Re - your question about messaging capabilities, this is described in detail in the manual https://www.virtualbox.org/manual/UserManual.html, but I think as an example phpVirtualbox includes use of these types of properties to define whether a guest system boots up when the host boots up. My comment was that Virtualbox can be extended by use of these properties and there is the propensity for their application to be exploited if they are not adopted in a secure manner.
-- Best Regards, Giles Coochey, CCNA Security, CCNA NetSecSpec Ltd [email protected] Tel: +44 (0) 7983 877 438 Live Messenger: [email protected] http://www.netsecspec.co.uk http://www.coochey.net
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ VBox-users-community mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vbox-users-community
