Allow host to only access mail.myorg.org on port 443?

[hbf]

Dear list,

I am evaluating whether we can use VirtualBox as a secure environment for storing and working on confidential documents. The idea is to use an encrypted external hard-drive, store a VirtualBox image (and possibly the VirtualBox application itself) on it. The end-user would store all confidential documents in the guest system and would use Office tools to work on them.

My question: Unfortunately, we might have to allow access to gmail to exchange encrypted mails. I am wondering therefore whether it is possible to configure VirtualBox's network setting in such a way that only TCP traffic on port 443 to a particular IP is allowed?

Thanks for any answers or pointers into other directions.

Best,
Hbf

[mpack]

I'm not sure I understand the intention. Ok, sure, confidential documents on encrypted drive, got it. What I don't understand is, what is the VM for?

The guest OS implements the networking stack, so the question of what it might be made to allow or not allow is really a question for the guest OS.

[hbf]

Dear mpack,

Thanks for your response.

What I don't understand is, what is the VM for?

The reason for the VM is the following. If we just had an encrypted drive that our staff members would connect to their laptops, they would open documents in for example Word. Later on, they close the Word document and eject the encrypted drive. They think all is fine, but in fact, there's a big chance that Word has left some temporary or backup file somewhere (or had one at some point, so it could be recovered/unerased). There are tons of similar problems.

Therefore, the idea was to say: let's encrypt not just the files but put the whole work environment (= OS with Word) onto the encrypted drive. (You could say that we could encrypt the whole laptop. But our use case is that most of the time, the staff member will work with non-confidential files. So we propose to have two work environment, one for normal work and one (the VM) for confidential work.) Does this make more sense?

The guest OS implements the networking stack, so the question of what it might be made to allow or not allow is really a question for the guest OS.

Probably true and correct. I was simply wondering whether there is something out there to address the network stack between guest and host. With this, we could configure the VM only (and neither the guest nor the host), in such a way that we can be sure that whatever the user does in the machine, he cannot do the wrong thing (like downloading a Trojan, for example).

Hbf

[mpack]

Ok, I see why the VM might be useful.

I'm not aware of any built in networking feature that might help you. NAT mode does support port forwarding, but that's used to forward additional TCP ports - you can't use that to block the normal ports. I don't know of any other feature that even comes close: the host and the VM are essentially separarate PCs with independant networking stacks. They can communicate like any other networked PCs can, but it was never intended that one PC would act as some kind of supervisor/filter for the other. However if such network filter software exists, then it could be installed on the host just like it would normally be installed on a server.

[hbf]

Hm, bad luck then. Maybe there's a way then to configure the guest or host system appropriately.

Thank you for your response, though, very much appreciated.

Hbf