Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VirtualBox: how to run a VM safely?


  • Please log in to reply
19 replies to this topic

#1 The Man from Oahu

The Man from Oahu

  • Members
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 24 January 2016 - 12:15 PM

Hi guys,

 

hope this is the right place to post my question.

I'd like to run a Fedora VM using VirtualBox. My computer is a W7 64Pro 8GB RAM machine.

I have no experience in virtualization, my question is:

what rules/settings do I have to follow so that my W7 is completely safe against any malware coming from the guest OS?

 

Mod Edit:  Moved from Networking to All Other Apps - Hamluis.


Edited by hamluis, 28 January 2017 - 06:34 AM.
Moved from Win 7 to Networking - Hamluis.


BC AdBot (Login to Remove)

 


#2 Hauberk

Hauberk

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 24 January 2016 - 12:50 PM

To be completely safe for any threats come from Virtual Box within Virtual System installed on it. 

Be sure no Shared Folder are use by Virtual System.

Do not rush to install or download files may it infection the Virtual System. use it like a normal system.

Update the Virtual System every time it needed and take care of it.

Update Virtual Box for security update as well.

Install securities program like your system.

 

That basis of it. This should keep you safe.



#3 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 24 January 2016 - 01:03 PM

Nothing is completely safe but... the most important safety rules/settings in a VM are:

 

- Choose NAT network or even NO network (depending on your needs).

- NO shared folders and NO shared clipboard.

 

If you exchange files between your guest and host, scan them properly because some malware will not run on your VM but will run on your host (especially because it's Linux vs Windows).

 

Greets!

 



#4 packetanalyzer

packetanalyzer

  • Malware Study Hall Senior
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling

Posted 24 January 2016 - 01:33 PM

Hi The Man from Oahu,

 

Nothing can every be completely secure, but there are some things you can do to increase the security of your computer.

Below is a summary of things you need to address. Some have been mentioned and some have not been mentioned.

 

Basic Security Guidelines

 

The following guidelines apply to your virtual machine just as the apply to your physical machine.

  1. Always install Operating System updates
  2. Keep your installed applications up-to-date
  3. Do not use the same password at every site
  4. Install and be sure to update your anti-virus software (and perform regular full system anti-virus scans)
  5. Use a firewall
  6. Backup your data!
  7. Do not open attachments from people you do not know
  8. When installing a piece of software, watch out for "bundled" tool bars and programs that you may not want

The above tips were taken from Grinler's "Simple and easy ways to keep your computer safe and secure on the Internet".

 

Please read the entire article for more tips.

 

 

Virtual Machine Security Guidelines

 

When it comes to creating a virtual machine, you have some other considerations.

 

  • Disable Shared Folders in VirtualBox
  • Disable Drag'n'Drop
  • Disable Shared Clipboard

You have some options when it comes to networking. If you need the virtual machine to access the Internet you should select either NAT or Bridged. The difference between the two is that NAT means the network traffic from the VM is going to go to the host and the host will route the traffic to the Internet. Obviously, if you are trying to keep the virtual machine completely isolated from the host, you may want to use Bridged. If you do use NAT you should also be aware, that you might end up having multiple firewalls that affect the traffic coming into your virtual machine. So if you want to be able to RDP into your virtual machine, you may need to make the corresponding firewall modifications on your host and your virtual machine.

 

You can also change the hard drive type on your virtual machine from normal to immutable. Immutable means that any changes made to the virtual hard drive are lost after you reboot your virtual machine.



#5 The Man from Oahu

The Man from Oahu
  • Topic Starter

  • Members
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:51 AM

Posted 24 January 2016 - 03:54 PM

Thanks to all for the interesting replies.

 

The NAT vs. Bridged setting needs more reading, I think.



#6 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 25 January 2016 - 05:22 AM

Extra (basic) reading: Virtual networking VirtualBox

 

I think NAT is all-round safer because even your networking hardware is virtual...  B)

 

But it seems that there is some disagreement on NAT vs BRIDGED...

Read following to get an idea:

Click (start reading at the first bold text) & Click (also check the first link in that topic)!

 

Some (more) input from the malware/network specialists here at BC could clear things up?

 

Greets!



#7 The Man from Oahu

The Man from Oahu
  • Topic Starter

  • Members
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 25 January 2016 - 08:51 AM

Those two threads are the reason why I thought there was more reading to do.

It seems to me there are some conflicting opinions on the matter.



#8 packetanalyzer

packetanalyzer

  • Malware Study Hall Senior
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling

Posted 25 January 2016 - 09:11 AM

But it seems that there is some disagreement on NAT vs BRIDGED...

 

I think it really comes down to what are you trying to accomplish? There are scenarios where you need NAT instead of bridged and there are times you need bridged instead of NAT. Each comes with its own security advantages and disadvantages.

 

If you use NAT you may also have the benefit of any network security programs running on the host applying to your virtual machine as well. That does NOT mean you should ignore the other security recommendations for your virtual machine. Security requires thought and vigilance. Don't think any one security measure will keep your computer secure.

 

If you use bridged your traffic will be isolated from your host. Your VM will get an IP address from the same DHCP authority (or a static IP if you use one) as your host.

 

There are also times you don't want your virtual machine to be connected to the network that either your host or other hosts are connected to. You can choose to not enable a network adapter or you can use a Host-Only network.

 

Again, with every network configuration there are security and/or usability advantages and disadvantages. If you have a specific question about how to safely use your virtual machine, please let us know what you are planning to you the virtual machine for.

 

 

It seems to me there are some conflicting opinions on the matter.

 

There will always be conflicting opinions on the "best way" to do things. :) That is one of the things that makes technology really cool. There is always more than one way you can do something.



#9 The Man from Oahu

The Man from Oahu
  • Topic Starter

  • Members
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 25 January 2016 - 12:17 PM

@packetanalyzer

my primary need is this: the VM has to be completely isolated from the Real Machine so that  any malware should infect the VM despite all the precautions taken, it won't touch my W7 OS or any other file on my computer. I have to be able to get rid of any possible trouble simply deleting the VM and be sure nothing has happened to my Real Machine.

That said, it seems I'd have to go Bridged, but this bothers me. Any further advice?


Edited by The Man from Oahu, 25 January 2016 - 12:18 PM.


#10 packetanalyzer

packetanalyzer

  • Malware Study Hall Senior
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:51 AM

Posted 25 January 2016 - 01:43 PM

So, just to re-emphasize what everyone has said to this point, you will never have 100% protection. There are a number of discussions on the Internet about the eventual possibility that malware could break out of the VM and infect the host.

 

http://security.stackexchange.com/questions/9011/does-a-virtual-machine-stop-malware-from-doing-harm

 

http://security.stackexchange.com/questions/4097/how-to-ensure-that-virtualbox-guests-cant-break-out-of-the-vm-to-get-access-to

 

http://security.stackexchange.com/questions/3056/how-secure-are-virtual-machines-really-false-sense-of-security

 

https://nakedsecurity.sophos.com/2015/05/14/the-venom-virtual-machine-escape-bug-what-you-need-to-know/

 

So that is something you have to address no matter how you configure your VM. I would encourage you to do things like update your software for your VMs on your host (VirtualBox) regularly and disable features like shared clipboard, shared folders, and drag and drop.

 

If you don't need to save things to the VM then again, I would recommend making your virtual machine hard drive immutable. If you decide that is what you want and you need help doing that, please let me know and I will be glad to give you instructions.

 

 

Problem with bridged network: you let malware full access to you real network.
Problem with VBox NAT: you cannot control connectivity at will (the way you can do with an external NAT solution).

 

That depends on how you configure your network. ;) A very important question you still answer is if you need the VM to have Internet access? If you do, then regardless of what networking option you choose you still have to protect the VM from getting infected. Again, please refer to the previous recommendations. If you don't, then choose "Not Attached".

 

I think a few things you need to consider are ways that a computer usually get infected. Usually, a computer is infected by the user doing something (Clicking an advertisement, opening an attachment in an email, or going to an infected web site). But also realize that if your host gets infected, the attacker may be able to access your VM so this isn't a pick and choose situation. You have to protect BOTH your VM and your HOST. If you don't protect the host, you have put your host and VM at risk. If you don't protect your VM, you have put your VM at risk.

 

If you don't need Internet on your VM, select "Not Attached" for the "Attach to" in the VM's network configuration. If you do need Internet on your VM, follow all of the normal security practices you would on your host.

 

If you don't need to save files on your VM make the VM hard drive immutable. If you do need to save files on your VM, you can save them to a flash drive which you can set a filter for in VirtualBox so only that flash drive connects to the VM. You can burn the files to CD. You can store the files in the cloud.

 

You can VLAN your VM to put it on a different network than your host. To do that you need to use Bridged. Please be aware, VLANs are an advanced networking concept and in some cases even get little help on the VirtualBox forums.

 

 

the VM has to be completely isolated from the Real Machine so that  any malware should infect the VM despite all the precautions taken, it won't touch my W7 OS or any other file on my computer

 

So your biggest concern is about malware that will spread over your network?

 

Really, the solution is no different than what you do to protect your host from becoming the source of a network spread virus.

 

More best practices for security are available on Symantec's Website.

 

If you are very concerned that your VM is going to get infected and that the infection will spread to other computers connected to your network, you need to either VLAN the traffic on the VM to a different network your host is not connected to or place a type of firewall, IDS, IPS between your VM and the host.

 

You can do this by creating an additional VM that will be a virtual firewall, IDS, IPS appliance and connecting one virtual network adapter from the virtual firewall, IDS, IPS appliance to the VM and the other virtual network adapter from the appliance to the host.

 

That is a process that is better suited for the Networking forum. If you do decide you want to add a virtual firewall, IDS, IPS appliance and install it between your VM and your host, please ask that question in the Networking forum and send me a PM.


Edited by packetanalyzer, 25 January 2016 - 02:00 PM.


#11 The Man from Oahu

The Man from Oahu
  • Topic Starter

  • Members
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 25 January 2016 - 04:19 PM

I need the VM to be connected to Internet and I don't think I can use the immutable drive option.

I have to think things over, it seems much more complex than I thought.

Anyways, thanks for your precious help and time.



#12 packetanalyzer

packetanalyzer

  • Malware Study Hall Senior
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:51 AM

Posted 25 January 2016 - 04:48 PM

 

it seems much more complex than I thought.

 

That is true. :) Always remember, computers will do exactly what you tell them to do. Nothing more and nothing less. Computers can't read our minds (yet) so we have to be detailed about what exactly we want it to do.



#13 The Man from Oahu

The Man from Oahu
  • Topic Starter

  • Members
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 25 January 2016 - 05:00 PM

Thanks again.

If I don't go bananas trying to understand all that stuff I'll be back, here or on the Networking forum.

:)



#14 packetanalyzer

packetanalyzer

  • Malware Study Hall Senior
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:51 AM

Posted 26 January 2016 - 08:45 AM

 

If I don't go bananas trying to understand all that stuff I'll be back

 

Don't worry. If you have questions you can always ask! We will do our best to answer them for you.

 

Best of luck! :)



#15 The Man from Oahu

The Man from Oahu
  • Topic Starter

  • Members
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 27 January 2016 - 01:33 PM

I have been doing some reading, I must say I'm more confused now than before.

Let me get this straight. I have two options:

- VLAN

- a VM acting as a VF (virtual firewall)

The second option would be easier to configure, on the other hand I'll have to run two VMs at the same time.

Is this correct?






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users