Networking Safety: NAT or Bridged

[DNS]

Hi,

I want to safely test driveby domains in an XP VM. The issue here is I want to be able to avoid cross infection with the host while at the same time, connect the VM the internet.

I disagree with anyone who says 'treat your VM like a real machine and install AV+firewall'; this defeats the purpose of having a VM for testing suspicious code. Such an approach is out of the question and doesn't anwser the topic. The idea here is the peace of mind of Virtualbox acting as a robust sandbox that successfully isolates what's inside and also its aility to quickly revert changes.

I have read numerous posts that give very conflicting information and 'opinions' on which networking method is safest: (NAT or Bridged). I hope to be able to get to the bottom of this once and for all with your help and leave this as a future reference to anyone having the same questions. Please only post if you have solid FACTS and experience concerning this. Its not supposed to be a debate, so I only prefer feedback from knowledgeable folks on this subject.

In your post, please describe the difference in the way they function and anwser these questions bellow:

1- Which (NAT or Bridged) is safer and why?
2- How would I configure it to work that way?
3- Is NAT a 2 way firewall that stops the host and its netowrk from communicating with guest and vice versa?
4- And if so, how effective is it? --Note that i am not interested in theoreticals such as 'everything can be bypassed', if its extremely unlikely then that will suffice.

Thanks for your time.

[Sasquatch]

I'd say bridged is better, because if you have a decent firewall on the Host that blocks incoming connections as well, instead of applications trying to act as a server (which the default Windows firewall does), you would be protected from an attack from the VM. With NAT, traffic going from the VM to the Host, if the right IP address is used, would look like localhost traffic. That's the kind most firewalls don't block.
Now you still need to have the right firewall software, as some prevents the use of Bridged, filter bridged traffic or cause other strange things.

How to configure it is described in the User Manual, chapter 6.

NAT in VB is very similar to your own router. Is that a two way firewall? No, it isn't, because it allows uncontrolled outgoing traffic which can set up a connection to a remote server and accept incoming traffic through that connection (like accessing a webserver to view a website). The only two-way firewall is an advanced firewall that can block all outgoing traffic unless specified, like specialized hardware firewalls (like a Cisco PIX) and software firewalls.

It's effectiveness is as good as the weakest link. Your Host is Windows 7, so the virus can use any vulnerability available in the system to attack the Host. NAT does give one advantage, your physical network is not directly exposed, so other machines may very well stay off the radar.

Still, if you want to be as safe as possible, I would not use Windows as Host for this, unless you have a way to isolate the VM completely by using a separate physical network with it's own internet uplink. You could set up a software router that only provides internet uplink on your physical network using VLAN tagging or wifi (use a USB device for example) or a physical uplink while disabling any network capabilities on the Host side for that interface.

[DNS]

I went ahead and selected 'bridged adapter' from the Attach menu and its set to use my host's wireless NIC. So am I doing this right?
When starting the XP VM I can connect to the interent fine. How would I configure my host's software firewall to specifically take care of incoming connections? I use Comodo Firewall (latest ver. 5.5.XX)

I am not worried about other PC's on this network as I have installed this software firewall and disabled file/printer sharing on them.

[Leak]

Now you still need to have the right firewall software, as some prevents the use of Bridged, filter bridged traffic or cause other strange things.

A good way to test this is using the EICAR anti-malware test file which is a harmless 68-byte executable that every virus scanner should flag just like other viruses. If you get alerted on your host but can download it with no problems in your VM you should be set...

[Sasquatch]

I went ahead and selected 'bridged adapter' from the Attach menu and its set to use my host's wireless NIC. So am I doing this right?
When starting the XP VM I can connect to the interent fine. How would I configure my host's software firewall to specifically take care of incoming connections? I use Comodo Firewall (latest ver. 5.5.XX)

I am not worried about other PC's on this network as I have installed this software firewall and disabled file/printer sharing on them.

That question is better asked at the Comodo forums. Maybe the help file has your answer. From my knowledge, the firewall should block any unknown connections towards the system. If a service is running on a port, e.g. 80 for your webserver, then any connection on port 80 could be an attack.
I haven't used a software firewall in some time, so I'm a bit rusty on that matter.

[DNS]

Thank you very much I'm all set now. Comodo does indeed block any connection from the outside by default. I've also set it to port stealth so that should handle any services that I haven't disabled.

I have one last question. Should I disable the "Host-Only networking' for more security? Should I just remove it completely to be more safe instead?

[Sasquatch]

Host-Only only does something when it's used by a Guest. It doesn't do anything on it's own, so you can leave it as it is if you want.

[DNS]

For kicks i tried something:
I Just noticed that when I ping the host with NAT chosen and Host Only NIC disabled, I get time outs instead of replies like normally happened before. But the guest OS's internet still works.

So NAT relies in part on the Host only adapter? Just trying to understand how things work. Thanks again.

[BillG]

For kicks i tried something:
I Just noticed that when I ping the host with NAT chosen and Host Only NIC disabled, I get time outs instead of replies like normally happened before. But the guest OS's internet still works.

So NAT relies in part on the Host only adapter? Just trying to understand how things work. Thanks again.

No, NAT and host only are independent. It looks like your ping from host to guest was using the host only adapter before.

[Sasquatch]

Either that, or the Host is configured to not respond to ICMP Echo requests (ping). The latter is more likely.