Security and Segregation of VMs

[FiNaR]

Hi All,

New here and quite new to VirtualBox too, therefore I do apologize in advance if my question is silly...

I am planning to setup VirtualBox for personal use as home on top of Ubuntu and I would need to set three VMs:

• VM1 (Windows 10) not accessible outside the LAN
• VM2 (Windows 10) not accessible outside the LAN
• VM3 (Windows 10) accessible outside the LAN (via Internet)

This seems to be straight forward but I was wondering how to ensure security and segregation between the host and each VM....

My wish-list would state:

• If I get a virus on Ubuntu (the host), how can I ensure no other images gets affected?
• If I get a virus on VM1, how can I ensure no other images gets affected?
• If I get a virus on VM2, how can I ensure no other images gets affected?
• If I get a virus on VM3, how can I ensure no other images gets affected?
• If a hacked access VM3 (the only one that should be accessible via internet) how can I ensure they are not going to "browse and compromise" data stored in other machines (Ubuntu, VM1 and VM2)?
• how can I ensure Ubuntu, VM1 and VM2 are not accessible via internet? (it is just a Router configuration or also the hypervisor needs some custom settings?)

Thank you all

Ivan

[scottgus1]

• VM1 (Windows 10) not accessible outside the LAN
• VM2 (Windows 10) not accessible outside the LAN

If these are to have no connectivity to other PCs as well, don't attach any network in them at all. If you wanted to have LAN access to these guests but just no internet, then you would use your house router's Access Restrictions or Parent Controls or whatever it calls it to block internet to the OS network name, network adapter MAC address, or network adapter static IP address.

how can I ensure Ubuntu...not accessible via internet

This would also be done with the router's Access Restrictions.

• VM3 (Windows 10) accessible outside the LAN (via Internet)

The easiest way to do this is to set the guest's network adapter to NAT. NAT acts like a router: complete access one way, access through manually-opened ports the other way. The guest will be able to access anything on the LAN or the internet. LAN devices can access the guest OS only if you open ports to allow such access. If you want to have only this guest accessing the internet and keep the host off the LAN too, let us know, there is a way.

If a hacked access VM3 (the only one that should be accessible via internet) how can I ensure they are not going to "browse and compromise" data stored in other machines (Ubuntu, VM1 and VM2)?

Don't have a complete network to the other guests or the Ubuntu host. Instead, use Guest Additions Shared Folders, which are only for file transfer, when you need to transfer a file, then delete the GASF afterward.

Viruses in a guest will stay in the guest, unless you open channels for the guest to communicate with other OS's with a network. If you have no network between one guest and the rest of the OS's, it is highly unlikely that viruses will jump to other guests. Viruses on the host, though, are a different matter. A properly-crafted host virus could get into the guests. So the host needs to be kept clean.

Best to run full antivirus in any OS that will connect to the internet: for your setup, VM3. I might also have manual-scan antimalware in the other OSs, just for a double-check every so often. Use VM3 to get database updates for the antimalware in the other OS's, and do full scans and hash checks on the database updates before letting them into the other OS's.

Additionally, if you do have a network, you don't run executable programs from one OS in another OS, then viruses most likely will not spread. Of course, doing such in real life somewhat defeats the purpose of a network. So

[multiOS]

If all Guests are Windows 10 then they will each have perfectly adequate Security software built in, which will be automatically fully activated at installation, unless any of the features are disabled by the user. The key area to focus on will, presumably, be the security of the Host Ubuntu system.

[socratis]

If I get a virus on (...), how can I ensure no other images gets affected?

Do not network them, do not share files between them, isolate then.

Of course I can't help wondering how you're going to get the virus in the VM if the VM is isolated. Are the VMs going to have Internet access? And if so, which mode are you going to use? NAT, NATservice or Bridged?

Read the following from the User Manual, Introduction to networking modes including the Overview table, which shows quickly what kind of connection is required to achieve what you want. And remember, you can always have more than one network card in your guest to cover multiple scenarios.

[FiNaR]

• VM1 (Windows 10) not accessible outside the LAN
• VM2 (Windows 10) not accessible outside the LAN

If these are to have no connectivity to other PCs as well, don't attach any network in them at all. If you wanted to have LAN access to these guests but just no internet, then you would use your house router's Access Restrictions or Parent Controls or whatever it calls it to block internet to the OS network name, network adapter MAC address, or network adapter static IP address.

By "not accessible via Internet", I meant that I should not be able to access them with Remote Desktop... but yes, they would need Internet Access, therefore I would need LAN Access...

how can I ensure Ubuntu...not accessible via internet

This would also be done with the router's Access Restrictions.

I guess I would need also some setting on Ubuntu side... right? or only the router firewall/zoning will do?

• VM3 (Windows 10) accessible outside the LAN (via Internet)

The easiest way to do this is to set the guest's network adapter to NAT. NAT acts like a router: complete access one way, access through manually-opened ports the other way. The guest will be able to access anything on the LAN or the internet. LAN devices can access the guest OS only if you open ports to allow such access. If you want to have only this guest accessing the internet and keep the host off the LAN too, let us know, there is a way.

Thank you I would look into this...

If a hacked access VM3 (the only one that should be accessible via internet) how can I ensure they are not going to "browse and compromise" data stored in other machines (Ubuntu, VM1 and VM2)?

Don't have a complete network to the other guests or the Ubuntu host. Instead, use Guest Additions Shared Folders, which are only for file transfer, when you need to transfer a file, then delete the GASF afterward.

this is good! what about having also four physical HD attached to each image? (is it silly?)

[FiNaR]

If I get a virus on (...), how can I ensure no other images gets affected?

Do not network them, do not share files between them, isolate then.

neing a newbie, I am not too sure how to "isolate them" silly thought: having multiple HDs (physical) and multiple LAN cards (physical) does it make it "more secure"

Of course I can't help wondering how you're going to get the virus in the VM if the VM is isolated. Are the VMs going to have Internet access? And if so, which mode are you going to use? NAT, NATservice or Bridged?

each VM has internet access, but only VM3 will be accessible via internet

Read the following from the User Manual, Introduction to networking modes including the Overview table, which shows quickly what kind of connection is required to achieve what you want. And remember, you can always have more than one network card in your guest to cover multiple scenarios.

thank you for this

[scottgus1]

each VM has internet access, but only VM3 will be accessible via internet

By "not accessible via Internet", I meant that I should not be able to access them with Remote Desktop... but yes, they would need Internet Access,

OK, so each guest would be connected through NAT or "NAT network". They are slightly different setups.

If you want the guests to talk to each other as well as the internet, use "NAT network". NAT network (manual section 6.4) is like a house router, with a WAN port that connects to your physical PC's network, and a set of LAN ports, one for each guest you desire to connect to the network. Each guest will get an IP address from the NAT network's DHCP server, or you can turn that off and use static IPs in the NAT network IP range. See the main Virtualbox window, File menu, Preferences, Network. Connect guest network cards using the NAT network's name. You can open ports to any desired guest through the NAT network. Internet traffic coming to the host PC on those ports will divert into the desired guest OS.

If you want each guest independently accessing the internet but not able to talk to each other, use "NAT" on each guest. NAT is "NAT network"'s older cousin. NAT is also like a house router, but with only one LAN port, and it can communicate only with the one network card it is attached to in the guest, nothing else. You can access internet and port forward into the guest with NAT just like with NAT network. However, each guest cannot talk to the other guests unless you put another network card into the guests. Each guest will get the same IP address, 10.0.2.15, and Virtualbox will keep track of which is which when routing internet traffic.

Keep in mind that to the NAT or NAT-networked guests, the host and LAN are just more PCs on the internet, and the guest will be able to get to the host PC's services & shared folders, as well as other things on the host's LAN, via IP addresses. The host PC and the LAN can't get to the guests unless you open ports.

Keeping the Ubuntu host off the internet is done in the router. You might have to set a static IP in Ubuntu, in the IP range that the router handles, if the router cannot block internet by the Ubuntu PC's MAC address or network name.

four physical HD attached to each image?

four raw-disk-access drives for each guest? That sounds like a really well-provisioned host PC!
Ask in a different new post about doing raw disk access.

having multiple HDs (physical) and multiple LAN cards (physical) does it make it "more secure"

More secure, no, not really. Raw disk access is just another way to have the guest store its data. It isn't more or less secure. More info can be had if you want, in the other post on raw disk.

[socratis]

neing a newbie, I am not too sure how to "isolate them"

Long story short... if you use any sort of networking so that the VMs can "talk" to each other, then you're vulnerable to attacks. There's no isolation in the network world, it's the opposite of talking to each other.