Virtualbox security questions....

Discussion in 'Virtualization' started by RASelkirk, Nov 14, 2015.

  1. RASelkirk

    RASelkirk MDL Member

    Feb 4, 2010
    174
    7
    10
    Hi All,

    I have an old XP Pro guest installation running on my Win7 host. BTW, this is using Oracle Virtualbox, a wireless card, router, and ZoneAlarm on the host. If I access the 'net from within the VM, what can hackers and NSA types see as far as my host IP and machine info? Do I need a separate FW on the VM? Any good sources for tightening things up?

    TIA!
     
  2. sebus

    sebus MDL Guru

    Jul 23, 2008
    5,833
    1,748
    180
    Sure, ditch XP all together, but I suppose you already know it?
     
  3. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    2,273
    1,857
    90
    It all depends on the network type selected.
    NAT and NAT Network types use Network Address Translation between VM and Host. VMs configured with NAT types use the Host to connect.
    Bridge, on the other side, hooks into the Host NIC at a low level/layer. As a result, the VM will get an IP address of its own from the router and will appear as a completely separate machine.

    However, as most people use routers today, the point is moot (unless IPv6 is used). The Router performs NAT, too, and all machines behind it appear as one IPv4 address only (the public router IP).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. RASelkirk

    RASelkirk MDL Member

    Feb 4, 2010
    174
    7
    10
    Carlos,

    This is pretty much what I found out. All the NAT stuff I read lead me to believe that an external site (like the GRC site posted above) would see the VM's IP address and not the router, however, this is not true as you stated above as GRC always resolves to my router. I did DL the TOR browser and tried it from within my VM. Now that's a different story! TOR's security page says you may be "open" by browsing to a commercial (.com) site, but when I accessed GRC's "Shields UP" using that browser, it showed me as someone with an IP from France.

    I saw that bridge option, but didn't understand it. Are there any tricks I should know? I'd like to test that out...

    BTW, I've never had a single breach since moving to (only) Malware Pro and ZoneAlarm on XP over 5 years ago. No AV program whatsoever now!

    Thanks!
     
  5. JFKI

    JFKI MDL Expert

    Oct 25, 2015
    1,098
    369
    60
    Regarding breeches, the best thing you could do is make sure your ports are stealthed.
    That GRC website will help you with diagnosing that.
    The first 1024 are relatively easy, the other 64511 are a bit of a PITA.
    Took me a week of evenings to make sure back in 2005 after getting hacked... By the DOD.
    < sigh - Long story, but they should not have let Altavista crawl one of their workstations. >
     
  6. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    2,273
    1,857
    90
    (Note: IPv4 only) For a normal network setup the router defines and distributes LAN IPs. For all external access the LAN IPs get translated to the public IP the router got from the ISP (=NAT). Thus, as long as a connection goes through the router it doesn't matter at all how the VM is set up - all connection will appear to come from one single IP, the ISP public IP.

    Setting up the VM with NAT adds a second NAT layer, with the VirtualBox being the router. For the "NAT" setting, VB defines VB network of its own, usually 10.2.0.x for the first Network adapter. "NAT Network" can be defined in settings and even supports IPv6, but essentially it's the same principle. Important: All connections originate from the Host, not the VM.
    Bridged simply emulates a virtual Network card and asks your present router for an IP. The VM will appear as being a further machine in your LAN. But even then it still connects through the router. No tricks, and you can even run services on the VM.

    The TOR network works by routing the traffic through a several other PCs of volunteers etc. Those are called "Nodes". The IP GRC told you is the one from someone running a special type of Node, an "Exit Node". So, even if you still connect through the router, your identity is obfuscated by randomly redirecting the packets through other PCs. It's called "The Onion Router" for a reason. ;)

    tl;dr: You can safely try Bridge Mode.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...