How to restrict some Networking Modes?

This is for discussing general topics about how to use VirtualBox.
Post Reply
chablet
Posts: 1
Joined: 29. Jul 2021, 18:15

How to restrict some Networking Modes?

Post by chablet »

Due to some security concerns, my company is removing VirtualBox VM from all machines.
The claim is by having the "Bridged networking" available which is bypassing some network controls (i.e. AD based firewall settings in Windows 10).

Is there a way (via Registry Settings for example) to restrict some of the Networking Modes?
This way, admin people can reduce "the risk" by disabling configurations like Bridged networking.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: How to restrict some Networking Modes?

Post by scottgus1 »

Bridged will bypass the host OS's network stack completely, if I understand correctly. See Virtualbox Networks: In Pictures: Bridged Adapter

Virtualbox can be installed without Bridged networking. If your IT dept has sufficient control of what and how programs get installed on the computers, it can turn off Bridged during Virtualbox installation or upgrade, then no VMs can Bridge.

I understand it is also possible to configure a fancy-enough network switch to not allow more than one computer to network through the switch port, which would also block Bridged, since Bridged VMs would appear as separate computers to the network. This setup is controlled in the switch's configuration, not by Virtualbox settings or installation, and might be even more controllable than setting Virtualbox installation parameters.

NAT and NAT Network do go through the host PC's network stack, so they should comply with host networking restrictions.
BillG
Volunteer
Posts: 5102
Joined: 19. Sep 2009, 04:44
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10,7 and earlier
Location: Sydney, Australia

Re: How to restrict some Networking Modes?

Post by BillG »

I would certainly think that is the way to attack the problem. It would prevent the vm from all direct access to the company LAN. The only way it can access the network is through the host's LAN connection. Any attempt to use bridged mode would fail, since bridged mode requires the vm to have its own port so that it can acquire is own IP etc from the DHCP server on the LAN.

We occasionally see posts on the forum from users on corporate LANs who cannot get bridged mode to work, and "one port per connection" settings on the switch is usually the cause.
Bill
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: How to restrict some Networking Modes?

Post by mpack »

This seems excessive to me, or based on a misunderstanding.

E.g. at my work it simply isn't possible to use Bridged Networking to access the company LAN, because the VM would be seen like any other unknown PC: not on the whitelist pal, byeee! I would be amazed if your office LAN allows unknown laptops to connect to anything.

Disabling the bridged feature would be like asking guests to disable their WiFi. Yes you could do it, but it's hardly a substitute for actual security.

What is the goal here? Is it securing the LAN, or it is stopping employees visiting questionable sites on company time?
Post Reply