Protecting the Windows using Linux
in [Setup]
|
Prev: Intel Graphics Under Debian Lenny (Blank Screen)
Next: Newbie looking for advice on Linux distribution
From: Aragorn on 13 Feb 2010 05:32 On Saturday 13 February 2010 07:18 in comp.os.linux.setup, somebody identifying as Karthik Balaguru wrote... > On Feb 13, 1:13 am, "David W. Hodgins" <dwhodg...(a)nomail.afraid.org> > wrote: > >> As with any m$ software, make sure it's protected by >> a properly configured router. >> > > Okay, but it is strange that there is no mechanism/tricks > in VirtualBox/Vmware to make the packets to flow > through the host OS to the guest OS ? I have no experience with VMWare or VirtualBox, but in my humble opinion, it should be possible to set up the virtual machine so that it uses the host OS as a router - I know that Xen supports different types of networking, so I would imagine this to apply to VMWare or VirtualBox as well. Your guest OS will then not have an IP address on the same subnet as the host OS, though, so the host will have to be set up as a NAT. This gives you control over the firewalling towards the guest via iptables. -- *Aragorn* (registered GNU/Linux user #223157)
From: Ian Hilliard on 13 Feb 2010 05:56 Karthik Balaguru wrote: > Hi, > The internet connection is in Linux (Host OS). > I am just eager to know if i have Windows as a > guest OS on Host OS(Linux), is it less possible > for Windows to get infected by virus ? > > If Windows crashes, is there a mechanism > to recover it from Host OS(Linux) ? > Also, is there any mechanism to debug windows > from linux ? Any ideas ? > > I am planning to use Ubuntu as Host OS and > Windows Vista as Guest OS and either > Vmware or VirtualBox (Virtual machines). > > Thx in advans, > Karthik Balaguru If you are running Windows in a virtual machine, it is possible to make a snapshot of the OS after installing software but before it is connected to the net. The firewall on the host system will also stop attacks on the Windows IP stack and open ports. The problem is that Windows still insecure by design. You can try running a Virus scanner, but that only has limited effectiveness. A better solution might be to roll back to the snapshot of the os every time you use it. This will lose history, patches, et. al. but is fairly sure not to have any lurking nasties. Ian
From: The Natural Philosopher on 13 Feb 2010 07:20 Karthik Balaguru wrote: > On Feb 13, 1:13 am, "David W. Hodgins" <dwhodg...(a)nomail.afraid.org> > wrote: >> On Fri, 12 Feb 2010 14:36:18 -0500, Karthik Balaguru <karthikbalagur...(a)gmail.com> wrote: >>> The internet connection is in Linux (Host OS). >>> I am just eager to know if i have Windows as a >>> guest OS on Host OS(Linux), is it less possible >>> for Windows to get infected by virus ? >> Using VirtualBox, I have xp running as a guest under >> Mandriva linux, with the network setup as a bridged >> adapter on eth0. >> >> The guest gets it's own ip address, and the packets >> going to/from the guest, do not pass through the >> linux firewall. > > Okay. > Another possible thought is disabling the > internet support in the guest OS. But that would > be blocking the applications that are running on > the guest OS to access internet. :-( > precisely. In my setup..I have just switched to Virtualbox .. the ONLY app that touches the internet is IE6, which I need to test websites. I found screen was too slow and networking strangely odd, with VMware. all internet related stuff is done under Linux. The approach I have taken, is to reduce Windows to the four programs I need that will only run on it. >> From the point of view of the guest os, it's as if it >> had it's own real network interface card, so it's just >> as susceptible to network attacks, as it would be if >> running on native hardware. >> >> As with any m$ software, make sure it's protected by >> a properly configured router. >> > > Okay, but it is strange that there is no mechanism/tricks > in VirtualBox/Vmware to make the packets to flow > through the host OS to the guest OS ? Oh, I am sure you could use some kind of packet filtering and or virus scanning..BUT thats not what virtualisation is normally designed to do. Its not in the business of protecting Windows from its own ghastliness: It's there to present as clean an interface to windows with as much speed as possible. FWIW I have Debian install, with fairly late kernels and Virtualbox from backports. Its clean and works better than VMware server or Vmplayer IME.
From: Karthik Balaguru on 13 Feb 2010 07:29 On Feb 13, 2:45 pm, Nico Kadel-Garcia <nka...(a)gmail.com> wrote: > On Feb 12, 3:55 pm, The Natural Philosopher <t...(a)invalid.invalid> > wrote: > > > Karthik Balaguru wrote: > > > On Feb 13, 12:37 am, "Bill Yanaire, ESQ" <b...(a)yanaire.org> wrote: > > > Do you mean to say that windows will get infected > > > even if it runs as a guest OS on linux OS ? > > > Strange !! > > Certainly! By emulating the full OS, you emulate the bugs and > vulnerabilities. Agreed ! > > > Of course. It's effectively a standalone machine. Running on some > > curious hardware.. > > There are some interesting approaches to this. Using ClamAV and the > like to scan the Windows filesyste, from the safe Linux world, is very > handy at spotting some kinds of infected files. But other > vulnerabilities, such as website infection attacks, can use holes in > the existing Windows software that ClamAV has no chance of detecting. Okay. > Another approach I've just heard about is using VMWare and a kernel in > the Hypervisor that hosts the guest operating systems to provide > certain types of protection: this might work best with para- > virtualized kernels in the guests. > Need to check the paravirtualization. > Now, if our friend was running WINE, and using that to run Windows > applications actually on the Linux host and not in a virtualized > operating system, *THAT* gets you some protection from virus trouble. > But not everything runs well that way. True that not everything would runs well that way. Karthik Balaguru
From: Karthik Balaguru on 13 Feb 2010 07:35
On Feb 13, 11:23 am, Hans-Peter Diettrich <DrDiettri...(a)aol.com> wrote: > Karthik Balaguru schrieb: > > > The internet connection is in Linux (Host OS). > > I am just eager to know if i have Windows as a > > guest OS on Host OS(Linux), is it less possible > > for Windows to get infected by virus ? > > The guest systems are not protected in any special way. > Okay . It appears to be true ! > > If Windows crashes, is there a mechanism > > to recover it from Host OS(Linux) ? > > No, except for easy backups of entire VM's, or the ability of the > virtualization software to reset a VM into some previous state > (snapshot). Both methods have their pro's and con's, with regards to > performance and disk space. I'd go for backups of entire machines, which > are easy to restore (simply copy the VM folder). If you want to preserve > huge downloads, put them on an independent virtual disk (not affected by > snapshots), then you can backup the system and data disks independently. > > I found it good practice to separate system and data disks anyway. You > can have any number of virtual disks, for different purposes, and with > some experience you can use them in multiple VMs. E.g. I have > independent disks for my many software projects, so that I can start > updating a particular project by attaching the virtual disk to my > development VM. > > Shared folders are another way for persistent data storage. The folders > can be used in multiple VM's at the same time, and also are accessible > from the host OS. Shared folders may be slower than virtual disks, > because they are implemented as remote (network) resources, so that they > should not normally be used for life data; but they can hold downloads > very well, where the duplicate network traffic (from Internet to guest > to disk) is almost neglectable. > > In any case you should consider that a virus can spread onto *every* > attached R/W disk or folder. That's why IMO restarting infectable guests > from a clean state is essential. Where Windows systems have a higher > risk of infection, because they are the preferred targets of malware > producers. While newer Windows versions (Vista...) have acceptable > admin/user isolation, its administration (ACL, UAC...) IMO still is a > mess. At least it's easier to protect a Linux system by simply logging > in as non-privileged user - the essential system files and folders are > always owned by "root", without any need for special administration efforts. > > > Also, is there any mechanism to debug windows > > from linux ? Any ideas ? > > No idea. Remote debugging may be possible, but that's not related to > virtualization. > > > I am planning to use Ubuntu as Host OS and > > Windows Vista as Guest OS and either > > Vmware or VirtualBox (Virtual machines). > > If you want a stable host system, then do not use it for surfing at all. > I'm using a tiny Win98 VM for surfing, which is easy to backup and also > to restore to its "virgin" state after every Internet session. Any Life > CD (Ubuntu, Knoppix...) can be used for that purpose as well, where a VM > will boot the CD faster from the ISO image than from a CD drive. Interesting to know that a VM will boot the CD faster from ISO image than from the CD drive. > BTW > creating and burning ISO images is built-in with almost every Linux, no > need for additional (expensive and/or unreliable) burning tools. > Karthik Balaguru |