New Network mode: Sandbox

Here you can provide suggestions on how to improve the product, website, etc.
Post Reply
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

New Network mode: Sandbox

Post by scottgus1 »

In these threads: (viewtopic.php?f=1&t=51720&p=236874 and viewtopic.php?f=1&t=51495) I discovered that which is already known by everyone else: that there is presently no way to sandbox a web-browsing guest, that is, allow the guest to have internet access but prevent access to any networked resources on the host's network. All the network modes provided by Virtualbox that give internet access to the guest, even NAT, allow access by the guest to some portion of the host's network in some way.

Problem is, some folks want to try to use Virtualbox as a sandbox to test viruses, based on my searches of the forum, and some want to browse the web in a guest but keep their host clear of internet access. The ease of backing up a VM in Virtualbox makes such uses really attractive. I want to allow remote users of our company's software to get into guests from the internet, but to not have access to our work network. Since internet-enabled guests can get to the host's network, these scenarios aren't safely possible.

Of course there are safe practices for use of computers that can mitigate the risks of having a virus in the guest get itself on the host. And one could just get two internet connections if one wants that extra expense (my boss certainly isn't going to pay for another one).

I think it would really add to Virtualbox's already exceptional (and much depended on by me) value to have a "Sandbox" mode in the Network settings' "Attached To" dropdown. This mode would drill a hole to the internet like NAT does, but it would not allow the guest to have any access to anything except for the internet. Any attempts by the guest to access local network IPs through the Sandbox network connection would get blocked.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: New Network mode: Sandbox

Post by scottgus1 »

This was requested as an enhancement request in bugtracker here: https://www.virtualbox.org/ticket/12911 and was turned down because it's apparently possible to make within the host settings and not a common requirement. (I think it's a bit more common than realized, because of folks thinking a NAT-attached guest only gets internet access so viruses ought to be isolated, however NAT really can access the host LAN so viruses can still get to the host. But I have no idea how to make source code to do it myself and contribute it, so that's that :) )
Apparently it's possible on Linux hosts to make this sandbox filter for guests, and the "netsh advfirewall" command in Windows is supposed to do the same. The Linux method is found on Superuser.com: http://superuser.com/questions/691431/h ... 461#691461 and re-posted here on the Virtualbox forums: viewtopic.php?f=9&t=61005&p=284835#p284835
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: New Network mode: Sandbox

Post by mpack »

scottgus1 wrote:however NAT really can access the host LAN so viruses can still get to the host
? NAT only works if the host has internet access, hence a external virus doesn't need a VMs participation in order to access the host LAN.

What is the mechanism you were thinking of that would allow a host to be infected by a guests internet traffic?
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: New Network mode: Sandbox

Post by scottgus1 »

I've seen it presented to users in the forum that when one wants to browse the web in the guest and not on the host, NAT the guest and one's good to go. Seems to leave the impression that the host is safe and I don't really think it is.

One does indeed need internet accessibility on the host to use the internet in a NAT guest; interesting, I dind't know that. (Tested that myself on a computer blocked forom the web via ip address filter in the router - with a bridged connection the guest could still get internet, but with NAT the guest was blocked, too. Learn something new every day, thanks, Mpack.)

But I can also access the host lan on a NAT-attached machine, even though the NAT ip address range is different from the host lan range, by using \\host.ip.add.resses in the host lan range, and pass files and folders to shared folders on any pc on the host lan that the user can access, and read and write to drive$ shares (which, I know, can and should be turned off) and establish Remote Desktop connections. I'm thinking that if I can keyboard and mouse my way into the host lan and read / write / access / delete anything I can see, a virus could, too. (Unless I'm wrong and a virus can't access these things...)

There's of course many things one can do to lock off a host, such as no shared folders, etc. (But that means no shared folders anywhere on the lan, since a NAT guest can still access them via ip address. Kind of inconvenient.) Sandbox mode would lock things down much better (I think). If the ip addresses of the lan were blocked, I'm thinking that neither a person nor a virus could access them.

When I get a mo I'm going to look into the "netsh" command and the firewall settings and see what can be done with that.
Martin
Volunteer
Posts: 2560
Joined: 30. May 2007, 18:05
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: XP, Win7, Win10, Linux, OS/2

Re: New Network mode: Sandbox

Post by Martin »

scottgus1 wrote:I've seen it presented to users in the forum that when one wants to browse the web in the guest and not on the host, NAT the guest and one's good to go. Seems to leave the impression that the host is safe and I don't really think it is.
I have never got such an impression from a forum message. But that can be because I already had virtualisation and networking experience before starting here ;)
With NAT your Vbox guest uses the host network stack like any other application running on the system. It has full access to everything, like a web browser or any other program with TCP/IP capabilities running in the host os.
loukingjr
Volunteer
Posts: 8851
Joined: 30. Apr 2009, 09:45
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: just about all that run

Re: New Network mode: Sandbox

Post by loukingjr »

I'm not all that familiar with networking but isn't it possible to run a firewall on a host that doesn't allow incoming traffic from a guest?
OSX, Linux and Windows Hosts & Guests
There are three groups of people. Those that can count and those that can't.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: New Network mode: Sandbox

Post by scottgus1 »

After I read a post by Bill the network guru, I get the impression I have a lot more to learn about networking. I know just enough to be dangerous... :shock:

The developers have decided that this wasn't going to be implemented, so it's all a moot point now. I was thinking about NAT, because of what I've read on the forums about the advice given about web in the guest not in the host and what network settings to use. But since NAT needs internet access on the host, then a modified form of NAT would have been the wrong way to go. Ultimately it would have needed a Virtualbox firewall, I'm guessing, since it appears that the host firewall can filter out what's needed to make a sandboxed guest. Developers say, do it on the host firewall. Just have to figure out how to do all of that in Windows...
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: New Network mode: Sandbox

Post by mpack »

IMHO, the only reason NAT is recommended is because it's simpler to get working: if the host internet works, NAT will work - which isn't something you can say about any other internet capable network mode. I don't recall any conversation to the effect that NAT was more secure. On the contrary, you would usually considered "bridged" potentially more secure because it can be configured as a separate network, and packets would go directly to or from the guest.

Of course, like any NAT connection (e.g. like a LAN placed behind a NAT router), the guest (not the host) does get some security from the fact that it can't be hacked directly since it will cannot receive any unsolicited messages.
Post Reply