Hi John, Am 12.05.2012 02:37, schrieb John:
> Hello, Ingo. I appreciated your reply, and I have a couple of questions. > > "Ingo Str�wing" <[email protected]> wrote in > message news:[email protected]... >> Hi, >> >> Am 09.05.2012 09:29, schrieb John: >> >>> Hello. Is the environment of my guest OS secluded from the host OS in >>> such a >>> way that, if I get an intrusion or malware problem from the internet on >>> my >>> guest, my host OS would be totally secured from it? For example, if I put >>> a >>> website up on the guest and it gets compromised, can my host be affected? >>> In >>> a worse case scenario, could I just rebuild the guest, or restore from a >>> clean backup? >> >> >> IMHO there is no "normal" way to get control over the host from a guest. >> But in theory there might perhaps be bugs in the VirtualBox software >> that could be exploited. >> >> To minimize the risk, one could *not* install guest additions. That >> would avoid possible exploits through shared folders, shared clipboard, >> or mouse integration. > > Aren't the guest additions added separately for each VM. I mean, using > VirtualBox to create one VM on which I may have installed one guest OS and > guest addition does not make that same guest addition available to another > guest OS, included among those which may be seen on the left panel as > separately configured VMs. That is, I think these guest additions, like the > VMs themselves, are mutually exclusive. Is that not so? Yes, I believe, you mean the right thing. I'm just not sure about "mutually exclusive". The guest additions are installed separately in each VM. Installing them in one VM does not exclude them from being installed in another VM too. So there is no mutual exclusivity IMHO. Normally I recommend to install guest additions in all VMs. But if you are very much concerned about security of a certain VM, and you can live without guest additions in that particular VM, then you may consider not to install guest additions in that VM. I have no idea how likely it is that VirtualBox guest additions could be vulnerable to abuse. I just say that there could be a theoretical possibility for that, and if one can live without guest additions in a particular VM, one could exclude that possible threat. Of course you can continue to install guest additions in all other VMs. That should not add any vulnerability to your secure VM. > >> >> But you will likely not want to disable guest networking. And such >> networking might be the main risk for possible exploits. This does not >> even need bugs in VirtualBox software, but might also be done through >> bugs in the host network stack. Let alone a possible insecure network >> setup on the host (open ports, imperfect netfilter rules, ...). After >> all the VM will be in a LAN. A compromised machine in a LAN is a danger >> to all machines in it. One could try to put the VM in a VLAN, which >> makes a "demilitarized zone". But it's still difficult to promise that >> this would lock out every attacker. > > I like this idea for sure. Where can I get more information about setting up > the VLAN for one of my VMs? Wikipedia has a nice introduction to the topic ("VLAN"). I must admit that I didn't setup a VLAN myself yet. I just know the concept. The baseline is that you need a VLAN-capable network hardware, e.g. a VLAN-capable switch. If your computer has just one network interface, you could base the VLAN on MAC addresses, since the VM and the host have different mac addresses in bridged networking. Unfortunately, mac addresses can be forged. A VLAN, base on MAC addresses (also called a dynamic VLAN) is not is not as secure as a static VLAN, which is based on switch ports. For a statc VLAN you would need two network interfaces in your computer, bridge the VM to one of them and use the other for the host. That may require proper netfilter rules to keep the interfaces apart. But then, having different network interfaces for the different machines, one could also create two LANs instead of two VLANs, which may be less effort in a small setup. Please understand that these are just ideas. They may serve as starting points for further investigation. I don't claim to be a security or network expert. I just dare to claim that you can decrease the risk of a break-in with a VM (over separating the applications in the host directly), but you can never rule it out completely. Finally it depends on your personal readiness to take risks and the sensitivity of the data that are stored on the host and the other VMs. Regards Ingo > >>> >>> In such an event, where the guest was compromised and I wanted to restore >>> a >>> backup, would the whole VM have to be reinstalled, or would I only have >>> to >>> replace all of the contents of one folder, namely, as in Windows, >>> %userprofile%\VirtualBox VMs\guest-name\? Thanks. >> >> >> IMHO it would be sufficient to copy back a known good virtual disk image. >> >> Regards >> Ingo >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > _______________________________________________ > VBox-users-community mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/vbox-users-community ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ VBox-users-community mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vbox-users-community
