virtualbox.org

Hello everybody.

I did search around for this topic but i couldn't get enough information regarding this topic, because it wasn't mentioned specifically.
Firstly i'm not an expert in networking or computers, but i can manage my way around.

From what i gathered bridged connection is safer than NAT if done properly. I heard you could use a firewall to block access to host through network, but i'd like to go a step further than that.
Is there any way possible to isolate the host from the network whilst allowing a bridged connection for the guest? I wouldn't really need internet or network access on the host since i could manage everything with the guest. I read that someone managed this by not giving the host machine an IP address or removing the host MAC address in the router.
How exactly would that be done...either the IP addressing or the MAC removal? Or is there any other way to get a similar effect?

I want the host to be as static as possible and almost never needing changing so internet access would only be seldom used in the meantime i'd use the guest for all my surfing/internet needs.

Please excuse me if ti's more of a network related question but it is in context with VB. Thanks.

IMHO, the arguments in favour of either NAT or bridged are akin to arguing how many angels can dance on a pin head: we are never likely to get a final answer.

As to cutting the host out entirely: you can't cut the host out entirely, because all VM resources are allocated by the host. "Bridged" is just a redirector filter installed on top of the hosts NIC driver. However, you can go into host network settings for that NIC and disable (say) TCP/IP support, which will effectively block the host from doing anything useful with that NIC. Of course the host would be completely blocked, not just when a VM was running.

Frankly I think it's overkill. Don't share critical folders on the host, don't run any executables on the host if they've been inside a shared folder. And of course you should be taking regular whole disk backups anyway. What could happen?

It might be overkill, but i think it's definitely worth a try IMO.

I do understand that you can't completely isolate the host since it's using the same NIC or the same PC for that matter, but my aim is just to increase protection as far as i can go with my knowledge.
So would disabling TCP/IP just cut the whole system out of the network or just the host?

AlphaCE wrote:So would disabling TCP/IP just cut the whole system out of the network or just the host?

It would cut the host out of the network. The guest has its own TCP/IP stack.

I just disabled it. And it works. My host is off the network but my bridged guest is on.

VirtualBox has 3 layers of network access:
(layer-3) NAT: uses your host's TCP/IP stack. (default)
(layer-2) Bridge: uses your host's NIC driver. (bypasses host's TCP/IP stack and host's firewall) <-- this is what you have done.
(layer-1) PCI-pass-through / VT-d: uses your host's Network Hardware. (bypasses host's TCP/IP stack *and* host OS hardware [NIC] drivers).
This is like yanking a NIC from the host's PCI slot. This step will also remove hardware [NIC] drivers from host OS.
...NOTE: VT-d requires Linux host and an Intel VT-d or AMD IOMMU hardware (CPU+BIOS).

Other network modes:
Internal and Not connected are not applicable (N/A), since they don't provide network access to the outer world.
VDE is configurable like NAT or like Bridge. (layer-2 or 3)
UDP Tunnel is also layer-3.
Host-only is layer-2

I hope, that my small insight on VirtualBox networking is helpful (@_@)

Happy VBoxing,
-Technologov