Inter-VM and Host isolation [How to]

This is for discussing general topics about how to use VirtualBox.
vingal
Posts: 8
Joined: 21. Sep 2022, 10:40

Inter-VM and Host isolation [How to]

Post by vingal »

Looking for a solution to be able to prevent malware spreading between VMs and also prevent spreading to Host.

Each VM will be used to test applications which may be malicious, and that DO require an internet connection.

Some initial ideas thoughts and questions:
1) does it make sense to connect all VMS to a virtualized OPNsense to prevent them from talking to each other and to host but provide access out to internet ?
2) Is there a way to pass through dedicated drives for each VM or a way to segment partitions to prevent malware spreading from one vm to another ?
3) Host protections not sure how to isolate the host?
3) Memory is a shared asset, is there anyway to protect volatile memory amongst VMs ?
4) I am sure there is a lot I am missing, any ideas, and is what I require beyond the capabilities of Virtualbox or is it at all possible.

Hopefully this thread will be a repository of information to others looking to achieve the same thing, I will do my best to post my findings and results of my experimentation but would like your input.

Please let me know what is the best way to achieve the desired result to prevent malware from spreading to host or other vms ?

Thanks you.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Inter-VM and Host isolation [How to]

Post by mpack »

VMs are deaf mutes by default. They can only communicate with each other and with the host if you allow it.

If you use NAT networking then the VMs can access the Internet, but not the host or each other. This is especially true if you only visit https sites, as that prevents packet contents being sniffed as they pass.

Another option is bridged networking, but only to a guest network on your router. However in that case all VMs on the guest network can see each other if they run at the same time: is that really a concern?

Malware doesn't propagate by magic spells: you have to help it along. So a sensible person doesn't. E.g. don't keep executable files in shared folders.
vingal
Posts: 8
Joined: 21. Sep 2022, 10:40

Re: Inter-VM and Host isolation [How to]

Post by vingal »

mpack wrote:VMs are deaf mutes by default. They can only communicate with each other and with the host if you allow it.

If you use NAT networking then the VMs can access the Internet, but not the host or each other. This is especially true if you only visit https sites, as that prevents packet contents being sniffed as they pass.

Another option is bridged networking, but only to a guest network on your router. However in that case all VMs on the guest network can see each other if they run at the same time: is that really a concern?

Malware doesn't propagate by magic spells: you have to help it along. So a sensible person doesn't. E.g. don't keep executable files in shared folders.
Thanks for replying, carefully read your response but I am not sure it effectively solves my situation, couple of quick points below:

-In Nat => even is VMs cant talk, any VM can access the host in this mode
-If Host and VMs all use the same hard drive, what prevents on VM from propagating malware to another VM or onto the host
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Inter-VM and Host isolation [How to]

Post by mpack »

vingal wrote: -In Nat => even is VMs cant talk, any VM can access the host in this mode
Why do you think the host can be accessed in NAT mode?
vingal wrote: -If Host and VMs all use the same hard drive, what prevents on VM from propagating malware to another VM or onto the host
Host and VMs do not use the same hard drives. VMs use their own virtual hard drives via a virtual disk controller - they have no access to host drives. The reverse is also true. What is the mechanism you imagine exists which can copy files between PCs (virtual and physical) without your permission and action?
vingal
Posts: 8
Joined: 21. Sep 2022, 10:40

Re: Inter-VM and Host isolation [How to]

Post by vingal »

mpack wrote:
vingal wrote: -In Nat => even is VMs cant talk, any VM can access the host in this mode
Why do you think the host can be accessed in NAT mode?
vingal wrote: -If Host and VMs all use the same hard drive, what prevents on VM from propagating malware to another VM or onto the host
Host and VMs do not use the same hard drives. VMs use their own virtual hard drives via a virtual disk controller - they have no access to host drives. The reverse is also true. What is the mechanism you imagine exists which can copy files between PCs (virtual and physical) without your permission and action?

1. For the first point, you can ping the host, from a VM but you cannot ping a VM from the host. VM can talk to host, quite concerning NAT mode.
2. Thanks for pointing that out, I had no idea that on VM has absolutely no way to write a malicious file to another. Where is the permissioning? How can it be prevented from writing to the host hard drive ? How can it not leak from volatile memory between all ?
3. Hyperjacking prevention? Seen some video of people executing malware in virtualbox and it being detected by the host operating system on this hosts system, what setting prevent this from occurring ?
4. For the network portion, would a possible solution to ensure isolation be running a virtualised pfsense/opnsense to manually handle the double nat and talk?
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Inter-VM and Host isolation [How to]

Post by scottgus1 »

I won't stick in too much into my colleague Mpack's ongoing assistance, but I will point out that yes, the VM can access the host and the physical LAN through NAT via the IP addresses of the host and LAN devices. This is because NAT acts like a router: the VM is on the LAN side of NAT, and the host & physical LAN are on the WAN side of NAT. All traffic originating from the LAN side of a router gets through to the WAN side. So if the host or physical LAN has a service open, the VM can access it via its IP address & port, and how much malware activity can get through depends on the service capabilities.

Please see Virtualbox Networks: In Pictures: "Sandbox" to have a VM setup that is blocked from the host & physical LAN, but can get internet.
vingal
Posts: 8
Joined: 21. Sep 2022, 10:40

Re: Inter-VM and Host isolation [How to]

Post by vingal »

scottgus1 wrote:I won't stick in too much into my colleague Mpack's ongoing assistance, but I will point out that yes, the VM can access the host and the physical LAN through NAT via the IP addresses of the host and LAN devices. This is because NAT acts like a router: the VM is on the LAN side of NAT, and the host & physical LAN are on the WAN side of NAT. All traffic originating from the LAN side of a router gets through to the WAN side. So if the host or physical LAN has a service open, the VM can access it via its IP address & port, and how much malware activity can get through depends on the service capabilities.

Please see Virtualbox Networks: In Pictures: "Sandbox" to have a VM setup that is blocked from the host & physical LAN, but can get internet.
Appreciate the message clarifying how virtual routing actually happens.

Do you have any advice on my original question or advice if it is at all possible to accomplish what I want with Virtualbox, or if I would really require other software ?

[For reference the original question/goal is to have multiple VMs that can reach out to the internet, will likely encounter malware at some point based on their use, but want to eliminate spread of malware to other VMs and to Host]
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Inter-VM and Host isolation [How to]

Post by scottgus1 »

vingal wrote:multiple VMs that can reach out to the internet, will likely encounter malware at some point based on their use, but want to eliminate spread of malware to other VMs and to Host]
For each VM that you'd want to be internet-connected but blocked from all other VMs & host LAN, use a separate "Sandbox" setup:

Host >bridged> firewalled pfSense VM A >internalA> Malware VM A
Host >bridged> firewalled pfSense VM B >internalB> Malware VM B
etc...

Note that the key to Sandbox letting in internet but blocking access to the other VMs and the host & LAN is the outbound firewall rule in the pfSense VMs. Without the firewall rules, the pfSense VMs would behave just like NAT. (NAT does not have provision for such firewall rules, which is why Sandbox needs the router OS VM.)
vingal
Posts: 8
Joined: 21. Sep 2022, 10:40

Re: Inter-VM and Host isolation [How to]

Post by vingal »

scottgus1 wrote:
vingal wrote:multiple VMs that can reach out to the internet, will likely encounter malware at some point based on their use, but want to eliminate spread of malware to other VMs and to Host]
For each VM that you'd want to be internet-connected but blocked from all other VMs & host LAN, use a separate "Sandbox" setup:

Host >bridged> firewalled pfSense VM A >internalA> Malware VM A
Host >bridged> firewalled pfSense VM B >internalB> Malware VM B
etc...

Note that the key to Sandbox letting in internet but blocking access to the other VMs and the host & LAN is the outbound firewall rule in the pfSense VMs. Without the firewall rules, the pfSense VMs would behave just like NAT. (NAT does not have provision for such firewall rules, which is why Sandbox needs the router OS VM.)
Can I pull this off with a virtualized Pfsense in Virtualbox, or baremetal pfsense?
Is the virtual box router vlan aware ?

I like the suggestion, just thinking about how to implement it. Any ideas ?
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Inter-VM and Host isolation [How to]

Post by scottgus1 »

vingal wrote:Can I pull this off with a virtualized Pfsense in Virtualbox
Yes, the pfSense can run in a VM.
vingal wrote:Is the virtual box pfSense router vlan aware ?
I don't know this one. You'd have to check what pfSense will do on this. Virtualbox should pass along VLAN traffic with all the rest.
vingal
Posts: 8
Joined: 21. Sep 2022, 10:40

Re: Inter-VM and Host isolation [How to]

Post by vingal »

scottgus1 wrote:
vingal wrote:Can I pull this off with a virtualized Pfsense in Virtualbox
Yes, the pfSense can run in a VM.
vingal wrote:Is the virtual box pfSense router vlan aware ?
I don't know this one. You'd have to check what pfSense will do on this. Virtualbox should pass along VLAN traffic with all the rest.
Not sure why virtualbox was crossed out.

What I meant, in a nutshell, was how do I implement what you put in your first response ?

----Host >bridged> firewalled pfSense VM A >internalA> Malware VM A
----Host >bridged> firewalled pfSense VM B >internalB> Malware VM B

With a bare metal install wouldnt I have to passthrough several physical NICs, one for each vm ? Not seeing what you mean.

With a virtualised pfsense appliance done as a VM in virtualbox, is this even possible ?

Help me understand better what exactly you mean for implementing the chart you put above. Pls and Thx.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Inter-VM and Host isolation [How to]

Post by scottgus1 »

I crossed out Virtualbox because it's up to pgSense to handle the VLANs. Virtualbox only provides the network 'hardware'.
vingal wrote:how do I implement what you put in your first response ?
Have you seen the Sandbox tutorial?
vingal
Posts: 8
Joined: 21. Sep 2022, 10:40

Re: Inter-VM and Host isolation [How to]

Post by vingal »

scottgus1 wrote:I crossed out Virtualbox because it's up to pgSense to handle the VLANs. Virtualbox only provides the network 'hardware'.
vingal wrote:how do I implement what you put in your first response ?
Have you seen the Sandbox tutorial?

No, would you please direct me to that sandbox tutorial I am quite curious.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Inter-VM and Host isolation [How to]

Post by scottgus1 »

I posted the link above, and you quoted the section with the link.
vingal
Posts: 8
Joined: 21. Sep 2022, 10:40

Re: Inter-VM and Host isolation [How to]

Post by vingal »

scottgus1 wrote:I posted the link above, and you quoted the section with the link.
Read the prior link, it is a way to handle network segregation.

To complete the sandbox there would have to be a way to prevent disk writes to be sure that nothing mallicious can move from one vm to another or the host.
Post Reply