Protecting the Windows using Linux

[Aragorn]

Do you mean to say that windows will get infected
even if it runs as a guest OS on linux OS ?
Strange !!

From the network point of view, the Windows machine is just another node
on the network, and the GNU/Linux machine will (normally) be its
gateway. Even when Windows runs inside a virtual machine context, it
still *is* Windows, with all of its vulnerabilities. However, the
viruses would only affect the Windows system, not the host operating
system.

 

[Aragorn]

Okay, but it is strange that there is no mechanism/tricks
in VirtualBox/Vmware to make the packets to flow
through the host OS to the guest OS ?

I have no experience with VMWare or VirtualBox, but in my humble
opinion, it should be possible to set up the virtual machine so that it
uses the host OS as a router - I know that Xen supports different types
of networking, so I would imagine this to apply to VMWare or VirtualBox
as well.

Your guest OS will then not have an IP address on the same subnet as the
host OS, though, so the host will have to be set up as a NAT. This
gives you control over the firewalling towards the guest via iptables.

 

[The Natural Philosopher]

Okay.
Another possible thought is disabling the
internet support in the guest OS. But that would
be blocking the applications that are running on
the guest OS to access internet. :-(

precisely.

In my setup..I have just switched to Virtualbox .. the ONLY app that
touches the internet is IE6, which I need to test websites.

I found screen was too slow and networking strangely odd, with VMware.

all internet related stuff is done under Linux.

The approach I have taken, is to reduce Windows to the four programs I
need that will only run on it.

Okay, but it is strange that there is no mechanism/tricks
in VirtualBox/Vmware to make the packets to flow
through the host OS to the guest OS ?

Oh, I am sure you could use some kind of packet filtering and or virus
scanning..BUT thats not what virtualisation is normally designed to do.

Its not in the business of protecting Windows from its own ghastliness:
It's there to present as clean an interface to windows with as much
speed as possible.

FWIW I have Debian install, with fairly late kernels and Virtualbox from
backports.

Its clean and works better than VMware server or Vmplayer IME.

 

[Karthik Balaguru]

Certainly! By emulating the full OS, you emulate the bugs and
vulnerabilities.

Agreed !

There are some interesting approaches to this. Using ClamAV and the
like to scan the Windows filesyste, from the safe Linux world, is very
handy at spotting some kinds of infected files. But other
vulnerabilities, such as website infection attacks, can use holes in
the existing Windows software that ClamAV has no chance of detecting.
Okay.

Another approach I've just heard about is using VMWare and a kernel in
the Hypervisor that hosts the guest operating systems to provide
certain types of protection: this might work best with para-
virtualized kernels in the guests.

Need to check the paravirtualization.

Now, if our friend was running WINE, and using that to run Windows
applications actually on the Linux host and not in a virtualized
operating system, *THAT* gets you some protection from virus trouble.
But not everything runs well that way.

True that not everything would runs well that way.

Karthik Balaguru

 

[Karthik Balaguru]

The guest systems are not protected in any special way.

Okay . It appears to be true !

No, except for easy backups of entire VM's, or the ability of the
virtualization software to reset a VM into some previous state
(snapshot). Both methods have their pro's and con's, with regards to
performance and disk space. I'd go for backups of entire machines, which
are easy to restore (simply copy the VM folder). If you want to preserve
huge downloads, put them on an independent virtual disk (not affected by
snapshots), then you can backup the system and data disks independently.

I found it good practice to separate system and data disks anyway. You
can have any number of virtual disks, for different purposes, and with
some experience you can use them in multiple VMs. E.g. I have
independent disks for my many software projects, so that I can start
updating a particular project by attaching the virtual disk to my
development VM.

Shared folders are another way for persistent data storage. The folders
can be used in multiple VM's at the same time, and also are accessible
from the host OS. Shared folders may be slower than virtual disks,
because they are implemented as remote (network) resources, so that they
should not normally be used for life data; but they can hold downloads
very well, where the duplicate network traffic (from Internet to guest
to disk) is almost neglectable.

In any case you should consider that a virus can spread onto *every*
attached R/W disk or folder. That's why IMO restarting infectable guests
from a clean state is essential. Where Windows systems have a higher
risk of infection, because they are the preferred targets of malware
producers. While newer Windows versions (Vista...) have acceptable
admin/user isolation, its administration (ACL, UAC...) IMO still is a
mess. At least it's easier to protect a Linux system by simply logging
in as non-privileged user - the essential system files and folders are
always owned by "root", without any need for special administration efforts.


No idea. Remote debugging may be possible, but that's not related to
virtualization.


If you want a stable host system, then do not use it for surfing at all.
I'm using a tiny Win98 VM for surfing, which is easy to backup and also
to restore to its "virgin" state after every Internet session. Any Life
CD (Ubuntu, Knoppix...) can be used for that purpose as well, where a VM
will boot the CD faster from the ISO image than from a CD drive.

Interesting to know that a VM will boot the CD faster
from ISO image than from the CD drive.

BTW
creating and burning ISO images is built-in with almost every Linux, no
need for additional (expensive and/or unreliable) burning tools.

Karthik Balaguru

 

[Karthik Balaguru]

I have no experience with VMWare or VirtualBox, but in my humble
opinion, it should be possible to set up the virtual machine so that it
uses the host OS as a router - I know that Xen supports different types
of networking, so I would imagine this to apply to VMWare or VirtualBox
as well.  

It is available !

Your guest OS will then not have an IP address on the same subnet as the
host OS, though, so the host will have to be set up as a NAT.  This
gives you control over the firewalling towards the guest via iptables.

I think, by using the network option(NAT) of virtualbox
can provide some protection. But, i do not find clear links
that conveys complete virus protection kind of mechanism
while sending internet traffic from the Host to Guest OS.

Thx in advans,
Karthik Balaguru

 

[Karthik Balaguru]

precisely.

In my setup..I have just switched to Virtualbox .. the ONLY app that
touches the internet is IE6, which I need to test websites.

I found screen was too slow and networking strangely odd, with VMware.

all internet related stuff is done under Linux.

The approach I have taken, is to reduce Windows to the four programs I
need that will only run on it.



Oh, I am sure you could use some kind of packet filtering and or virus
scanning..BUT thats not what virtualisation is normally designed to do.

Okay, So how can we tweak either VirtualBox or Vmware
and other configurations so that the packets get filtered/scanned
before going to the Guest OS(Windows) .
Forcing through some firewalls on the Host OS(Linux) would
be another thought, but that will not help completely.
Is the method of scanning all the packets that arrive at the NIC
for virus signatures the only way ? But, that would tremendously
slow the system as many virus definitions should be available
and it should be done at the level of NIC which inturn loads the
NIC heavily.

If not at the NIC level, it can be thought of as
a separte software that scans all the packets that are going
to the Guest OS(Windows) from Host OS(Linux), but i think
that would also slow down the system tremendously even
though it is independent of NIC.
Any thoughts ?

Its not in the business of protecting Windows from its own ghastliness:
It's there to present as clean an interface to windows with as much
speed as possible.

Agreed

FWIW I have Debian install, with fairly late kernels and Virtualbox from
backports.

Its clean and works better than VMware server or Vmplayer IME.- Hide quoted text -

Thx in advans,
Karthik Balaguru

 

[Aragorn]

[Follow-up set to comp.os.linux.setup]

It is available !

The alternative would be to use firewalling at the router level if you
opt for bridging. I guess this all depends on the firewalling
capabilities of the router. Using the GNU/Linux host operating system
as a NAT may provide for a solution if the router doesn't have an
adequate firewall, given the flexibility of iptables.

I think, by using the network option(NAT) of virtualbox
can provide some protection. But, i do not find clear links
that conveys complete virus protection kind of mechanism
while sending internet traffic from the Host to Guest OS.

Viruses and network traffic are two different things. Viruses may *use*
network connections, but in my humble opinion it would then be far
wiser to try and rid the guest of viruses instead of letting the
viruses run amok and only block them at the firewall level.

And that brings you back to running antivirus software on the guest
itself, I'm afraid.

 

[The Natural Philosopher]

Okay, So how can we tweak either VirtualBox or Vmware
and other configurations so that the packets get filtered/scanned
before going to the Guest OS(Windows) .

run a mail server obn linux, scan there and pickup from then on.

use linux as a proxy web server. Maybe.

 

[spike1]

Do you mean to say that windows will get infected
even if it runs as a guest OS on linux OS ?
Strange !!

Not really, all a virus is, is data. Different viruses get in in different
ways. If, say, it exploits IE to run itself when you land on a certain
webpage, then whether you're using IE on windows virtualised on native, it
won't make a snot of difference.

IF your linux is properly firewalled so nothing else can get in through the
back door on your virtual windows that's ONE added layer of protection.

Ignore him.
In that respect at least. Linux is safer.
--
| (e-mail address removed) | Windows95 (noun): 32 bit extensions and a |
| | graphical shell for a 16 bit patch to an 8 bit |
| Andrew Halliwell BSc | operating system originally coded for a 4 bit |
| in |microprocessor, written by a 2 bit company, that|
| Computer Science | can't stand 1 bit of competition. |

 

[Lusotec]

(...)

If you want to protect Microsoft Windows using GNU/Linux the don't let
Windows connect to the Internet directly.

Use a proxy HTTP (e.g. squid) and set it up to scan for malware. The same
for email. Setup a email server that get the mail from your accounts and
scans the email for malware. Malware also moves through IM protocols but I
don't know of any IM proxy that scans for malware.

The above can be used with MS Windows running on the hardware on in virtual
machines.

A better solution would be to move to GNU/Linux for all your Internet
activities and use MS Windows inside a VM for what ever Windows programs you
may need or want to use.

Regards.

 

[Karthik Balaguru]

run a mail server obn linux, scan there and pickup from then on.

use linux as a proxy web server. Maybe.

I think i need to go in for some content filtering web proxy,
and mostly a web proxy that would be based on ICAP .
The ICAP(Lightweight HTTP based protocol (RFC3507))
based web proxy can communicate to daemon-
based ICAP-based antivirus softwareto anti-virus capabilities
and can also remove other malware by scanning
incoming content in real time before it enters the network.


Extract from RFC 3507 -
" ICAP, the Internet Content Adaption Protocol, is a protocol
aimed at providing simple object-based content vectoring for
HTTP services.
ICAP is, in essence, a lightweight protocol for executing a
"remote procedure call" on HTTP messages. It allows ICAP
clients to pass HTTP messages to ICAP servers for some
sort of transformation or other processing ("adaptation").
The server executes its transformation service on messages
and sends back responses to the client, usually with
modified messages. The adapted messages may be
either HTTP requests or HTTP responses.

Surrogates or origin servers can avoid performing
expensive operations by shipping the work off to other
servers instead. This helps distribute load across multiple
machines. For example,
consider a user attempting to download an executable
program via a surrogate (e.g., a caching proxy). The
surrogate, acting as an ICAP client, can ask an external
server to check the executable for viruses before
accepting it into its cache. "

So, i think, this is one better way of providing
the data from internet to windows(Guest OS)
from linux(Host OS).

Any other thoughts ?

Thx in advans,
Karthik Balaguru

 

[M0she_]

Any other thoughts ?

Thx in advans,
Karthik Balaguru

Yea.
You'll never get a decent answer to your question in
comp.os.linux.advocacy because most of the so called Linux
"advocates" run Windows.

 

[TomB]

["Followup-To:" header set to comp.os.linux.advocacy.]

I have no experience with VMWare or VirtualBox, but in my humble
opinion, it should be possible to set up the virtual machine so that it
uses the host OS as a router - I know that Xen supports different types
of networking, so I would imagine this to apply to VMWare or VirtualBox
as well.

Sure you can use different tupes of networking on vbox and vmware. I
have three Windows guests (one 2003 Server, one XP Pro and one 7
Ultimate) on my Debian host, and they are all on an internal
virtualbox network behind a FreeBSD guest, which is bridged to the
host's network on its 'external' interface.

I really need to look into Xen soon. Never used it, because at the
moment vbox offers everything I need for virtualisation (and at work
I'm 'forced' to use vmware because it is the 'industry standard').

 

[Karthik Balaguru]

If you feel like taking a peek -  look here:

   http://pubs.vmware.com/vi-sdk/visdk250/ReferenceGuide/

To be fair - I rarely use this (once to be exactly via the Perl interface)
but our systems group at work does some really cool stuff with this. For
when I need the CLI with VMWare (not very often) it's usually just scripting
like 'vmrun list | start | stop | etc'



I use it with Ubuntu which works very, very well.



Your impression might have been right. I've read some benchmarks on this in
the past and they both do well. To a large degree it depends on what you're
doing with the VMs but overall the performance-diffs are minor enough where
they don't usually matter.








Which IMO is a better solution if you need to run 'multiple instances' of
the host OS. But if you want to run a different OS then you need to fully
virtualize it.- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -

I came across the below from internet -
The below seems to give some thoughts
regd perfomance analysis & methods used -
http://virtualizationreview.com/Articles/2009/03/02/Lab-Experiment-Hypervisors.aspx

A very long comparative list of platform virtual machines -
http://en.wikipedia.org/wiki/Comparison_of_platform_virtual_machines

Karthik Balaguru

 

[Karthik Balaguru]

For the first part, you use a proper firewall (i.e., not a windows
software firewall) - using a Linux host as a NAT router for a guest is
perfectly good.  

Okay !

And avoid using software that risks doing things
without asking you - i.e., avoid Internet Explorer, Outlook, MSN client,
and any other software that accesses the web using IE's engine.

Karthik Balaguru

 

[Kevin John Panzke]

Karthik Balaguru wrote: > On Feb 14, 6:41 pm, David Brown >
wrote: > > > On Feb 13, 9:26 pm, The Natural Philosopher
other configurations so that the packets get filtered/scanned > > >>>
before going to the Guest OS(Windows) . > > >> run a mail server obn
linux, scan there and pickup from then on. > > > > >> use linux as a
windows > > software firewall) - using a Linux host as a NAT router
for a guest is > > perfectly good.   > > Okay ! > > > And avoid using
software that risks doing things > > without asking you - i.e., avoid
Internet Explorer, Outlook, MSN client, > > and any other software
that accesses the web using IE's engine. > > > > Karthik Balaguru