another approach for bigger security - needs advice

Hi,

Hope this is right place. I post one message in VMWare forums. I would be grateful to have comments from security and virus/firewall experts.


I hope I am not crazy to worry about security and privacy. It is fact I am in internet now. Maybe I do not have enough knowledge. Maybe just short comment or maybe you could find it as interesting subject. Thank you for your time.


link: http://communities.vmware.com/thread/118789?tstart=0
copy/paste message:
---------------
Hi all,

I am average IT user, with average IT knowledge. I would be very grateful to have your comments. I have 2 questions. Sorry description below belome longer but questions are short.

If host and guest OS are windows (any version, could be the same windows version in both):

1) how to I disable internet for host PC but to use it in one of guest VM? It is ok for me even if the cost is separate USB network card which is enabled/installed only in guest VM.

2) is it possible virus in guest VM specially designed with that purpose to harm other guest VM or host PC?



What are my needs. In a perfect case I would like to have different computer for: 1) work; 2) e-banking; 3) multimedia, photos; 4) games, tests; 5) internet, etc. multiplay by family members. First it is not possible, and second I want all my stuff inside my laptop (example - to get my photos when I visit my parents, etc.)

How I get there. Initially it was simple: "do not run strange software and do not open email attachments", "do not send passwords, credit card details and bank details as reply of strange emails".

After that there come all tons of firewall and anti-virus, anti-trojan software - a lot of time, money, nervous and performance. You have to install everything, after that to install security software to protect your self 1) from outside world, 2) from inside programs, 3) from your mistakes or your kids mistakes. All these are complicated solution (installing rootkits to remove or keep rootkit viruses away).

Just after everything is setup and ready another problem. You have 55 windows services. But you know only 5 of them. You spend a lot of time to read in internet and because of 50% understanding plus 50% most people advice that - you did disable 15 critical services. And then one day you decide to install mobile phone syncronization software which is not working because most services are disabled. So, in order to get you phone contacts (private data) you have to enable critical services - funny.

I did read about hardware firewalls (one good firewall cost a lot and it is big as my laptop). I did read about multi user envirinment (do not use administrator account for daily activities). I do not see nice and easy solution on the market (correct me if I am wrong).



There are many examples. There are many security discussions in internet. Current question is: why to install software and then to monitor it using more software. Why to play and learn about multi user environment (as I think we do not have nice windows solution on the market). Why to learn another OS (plus there could be similar problems)...

All I want is:

1) one virgin host OS without internet with ability to start/stop/switch guest OS

2) many different VM for different activities.

3) one VM for all games (buy buy 3D games), tests and new technology. New technology comes with new risks.



I am not in security field. And I am not crazy about security. It is kind of hobby. I can live with subjects like "review of best photo management software". Even "review of best backup software". But "best security software" - this is crazy. And finally you are never sure are you protected or not (in which cases you are protected and which cases you are not).

I am thinking for this as very nice idea.

1) create one "e-banking" guest VM. Then using host OS you could check with microscope all network trafic. Not sure but looks like you could have full control.

2) put all risks and viruses in aquarium (freedom instead antivirus). Then using host OS it could be nice to browse all registry and files changes during last session. There will be your changes, windows changes and eventual virus activities (or trojan or anything).



Thank you very much for your time. I will respect every advice.

Have a nice holidays.
---------------

 

Hello,

To answer your questions:

1. Not really sure it's possible. VM adapters are virtual adapters. While you can configure your firewall to filter packets in a certain way for a specific adapter, the connection still must run through a physical connection.

You can disable all apps on host - and allow only VM - that's possible. Or if you have two physical connections, physically plug your machine into one and configure firewall to allow only VM on this one or plug it into the other and configure firewall to allow your host only.

I'm not sure abut leasing two IPs simultaneously - maybe Stem can help here.

2. Not really likely, especially if you deny any sort of sharing to that machine.

3. You can create something similar with free tools before using VM:

Separate accounts.
Hardware profiles for different needs.
Security restriction policies per user.

All these will make a huge separation between your needs, allowing you to boot quickly here or there.

As to VM, you should use small Linux distros, maybe even live-CD ones as virtual machines for your secure needs. For instance, e-banking through Damn Small Linux, which is only 50MB download.

Testing applications - good idea, VM.

Testing games - not so good, 3D support is limited. You'll need a dedicated rig, or use imaging / rollback software.

You don't need to go crazy with security. I think your idea is a fair overkill. I use the same machine for all you mentioned - save testing apps. No problem using your normal pc to connect to the bank or anything.

Apps - dedicated vm or even a seaprate machine, for sure.

You could alos try MojoPac for testing apps and games - will run from any usb device, allows full separation between guest and host + 3D support! I'll post an article about this soon, btw.

Furthermore, as far as security goes, try Linux as much as possible.

You really need not use separate vm for banking - no need to go paranoid. The same goes for AV and such. You don't need to use these to be safe.

It's really simple.

- use firewall.
- use non-IE browser.
- use as many no-MS apps as possible - OpenOffice instead of MS Office, Thunderbird instead of Outlook, Pidgin instead of Messenger etc, you'll automatically cut down 99% of all problems.
- backup your data regularly.
- use imaging software to easily restore in case of crash, failure or possible infection.
- indeed, consult here about apps you need; ask before executing.

And that's all, simple and pain-free. Don't let the fear mongers cheese you.

I hope this helps.

Happy <choose favorite holiday> / new year.

Cheers.
Mrk

 

Hi Mrkvonic,
Hi all,



Thank you for quick reply.
Sorry everyone for this long post, it is holiday here and web site name "wild security"...

answer: possible, do not assign IP address in host OS

yes, you are right.



I am not expecting VMWare specific answers here. But decided to post here VMWare answers, so no need others to go and read it there. As much I talk about VMWare solution, as much I like it more and more except many expected performance and hardware compatibility issues.

If you environment is flexible, you will get better results. But currently I am afraid to stop service X because after one month I will forget it and will notice that programs A,B,C are not working and it will takes me a lot of time to fix it.

I was using ZoneAlarm pro in past, recently I had small experience with ghost security suite (nice application). All recent AV software is complex. if you want to setup it nicely, you will have to answer 1000 questions, most are technical and not easy to understand.

All this is showing that increasing security is not possible in this environment. We have 100 services, 100 drivers, 1000 setup screens, etc. I do not see good future in that direction. My understanding is that most security software is fighting with viruses using all extreme technologies. We have windows firewall plus security center service to protect or check if firewall is On or Off. One antivirus software installation include drivers, services everything. My understanding is that it will be 100 times easier if we have option to do "out of box" protection. That is why we use life CDs (restore, backup, check viruses), but for them you need to reboot.

Out of box must be more easy: One to catch network trafic and to analize it. Easy to do incremental backup. First you will have backups and second you could use it and see if system files are changed, if there is something unusual, etc. I do not know. VMWare is maybe not possible right now - because of performance, because of limitations. I think I will try it. In fact it is not question about VMWare or ZoneAlarm or something else. It is principal question about such kind of encapsulation and isolation - we need different work areas, we need private data separate from fun area, etc. (btw, I have 3 PCs at home but still not satisfied)

I just would like to have attention and comments regarding "VMWare" isolation idea. Maybe someone have similar ideas or experience, etc.



If people like this topic (maybe it is not new but I did not found anything in internet), here we could consider it as general security question about work environment and habits, like "good security practices". There could be different points of view:
- is it possible, is it secure
- is it easy to setup such environment - maybe yes because by default everything will be disabled because all guest OS are separate. The most important restriction you have to do inside "e-banking" OS - import you certificate and enable only access to your e-bank web page.
- is it easy to do mistake in such environment - I think no, because it is easy habit, easy rule like: "money inside e-banking OS, every else in other guest OS and mistakes in others OS will not be fatal. But mistake to open wrong attachment is easy.

Like that.

This is one of the questions and there are two options:
1. empty/dedicated Host OS, so all guest OS are secured. Everything goes inside guest OS. There will be performance issues.
2. or normal host OS for usual but safe activities. Guest OS for testing. For better security and if you do not trust your host OS, then you will need one secured OS for "e-banking". Could be life CD but it means you always have to reboot.

I have small experience with windows Life CDs. Not all of them run successfully on my laptop. With all of them I have to setup my network everytime.

I was thinking a lot about second option. Mostly including hot-swap HDD or USB. Hot swap, because I want my private data HDD away when some other OS is active. USB drive - I was considering also limited read/write cycles. It is private data and I do not want to lose it.

I told, in a perfect case I need different computer for: 1) work; 2) e-banking; 3) multimedia, photos; 4) games, tests; 5) internet, etc. In fact, everyone will have different needs. Also different understanding for "private data". It is just named "e-banking" OS. Someone will use it only for bank transaction. Somebody else will like to use it for every online purchase. If you add more activities to "e-banking" OS plus fact that you have to reboot, very soon you could feel lazy and you could stop using it properly. From other point of view, as separate guest OS (separate virtual machine), you can switch it like you switch applications.

It was mistake: "buy buy 3D games", I mean "bye bye 3D games". For that purpose I could use separate partition/HDD with separate installation of MS Windows.

about 3.2: One note: here again we have reboot. I have different hardware profiles (in main profile NetBIOS service is disabled) but I do not have big experience. Please, give some example, how do you use hardware profiles, or what is the idea here.

about 3.1: I did read few topics about "how to use administrator account for installation and for everything else separate user account". I read that Windows Vista is more prepared for this.
3.1.1. My understanding is that MS Windows is far away from simple solution using user accounts.
3.1.2. All new software by default is setup in "user friendly" manner. How do you restrict/setup every single user account?
3.1.3. This approach is not very good because, anyway software is installed for all accounts by default. Binary files are there, start menu items are created automatically, etc. VMWare solution is completely different. If we are talking for private data (as I read) then we could consider MS Windows and google toolbar/cookies as virus. Advertisement companies everywhere, showing different pages depending what cookies you have in your PC, etc, etc. Using VMWare, I could be my self only in "e-banking" OS. When I switch to "testing" or "internet" OS I could be M-r X.

about 3.1 and about 3.3: please give more information. I could be wrong but: Do you think software vendors understand these technogies and produce user friendly software. Like every program have his admin console enabled for administrator only, etc, etc. I think this will happen after 10 years min.



My understanding is this: "known viruses" is like "lucky man". Meaning, you could get the same results without antivirus software. I mean it is much better to know "that there is virus and what data exactly it could touch", instead to think "I do not have virus on my PC where even I do not know how many private data I have".

Sorry, litle off topic here: I am regular man with average IT knowledge and in past I had experience with unknown virus. The same happend with one friend, different unknown virus at different time. We was lucky to track something unusual. And not happy to spent a lot time trying with default anti-virus, then all free anti-viruses, some online anti-virus checkers. My unknown virus was some program which did hide files and folders with name "HijackThis". First download was ok, then file missing. Trying to download again - failed. Download and save as different name, then try to rename back and error "such file already exists". Trying to install it, but it is creating "HijackThis" folder in "program files", so folder was hidden. I do not know what was that. I can tell you more stories if you want.

I do not have time for such games. I want these issues separated, capsulated, isolated. I do not want these issues to shut down my PC. I want my private data untouched. Life CDs are wonderful but again fixing issues is not fast as if it is simple switch between two VMWare guest OS. After that "unknown virus" case, I did read about rootkits, etc. I think there are frameworks so everyone could get them and start experiments. For me it is not miracle to get unknown virus. Anti-virus solutions are very complex. We update antivirus definitions and catch the virus, then virus is updated and become unknown virus again. I do not mind, but I want my PC available full time, even if price is buying 2 laptops. But VMWare looks more easy solution - because even different OS, there will be some common applications, settings, files, etc. And 1 laptop = 2kg, 2 laptops = 2*2kg.



Ok, back to topic:

I wrote above my point of view. Could be because I do not have enough knowledge. Please, give your comments.

Most of this is already done. But it is not easy as I told:

Let me paste this from VMWare forum:

Or, how many years I have to wait until I get "windows recovery without reinstall", or at least "transparent migrate ALL application settings to another PC". Less or more reinstall and recovery is security subject. As I told - if you have flexible and secure environment you will be able to protect your private data. Other way, 1000 different settings, it is normal to do mistakes and get infected easy.

Thinkins like "VMWare" idea could help.

Thank you , I am having nice holidays, drinking, sleeping, shoping online with limited credit card for any case . Security is like a hobby, and usually I have one crazy month in a year. It is interesting to search perfect solution with 99% security and without "unknown viruses". Pity part is I never found the perfect solution. In past viruses was simple and 99% I understand how it come, what it did. Now I do not understand - kernel rootkits, bios rootkits, hooks, injecting DLL in another process, etc - all these are dark fields for me. But I do keep reading. Btw, if you want, read my second post in VMWare forum.

Maybe main conclusion for me is to read more about available life CDs and virtual environments. In fact, about any solution which lead to separate environments The problem is "one lovely wife and one lovely PC", have to change my mind about PC and OS.



Best wishes to all.

 

Hi all,
and happy new year.


I did reconsider my "security" fears and I will try very simple to describe one different point of view.

I do not want to spam this forum. I am not sure why people are not interested in this thread - please correct me if I am wrong.


So, here is the most simple example:
1) I have laptop with Windows OS. I have 4 users - "administrator", "installator", "bank" and "chat". Windows and users are secured as much as possible.

2) installator probably have access rights close to administrator (I am expert to give details)

3) "bank" user have private data in his private folders, he is restricted to run only IE/Mozila and to visit only bank web site.

4) "chat" user will be used for chatting.


I need to install chat program "X-Chat". Installation procedure will install:
a) "X-chat" main program

b) "X-toolbar" in IE/Mozila (regarding help file toolbar will help you easy to start main chat program inside browser)

c) "X-service" (regarding help file service will detect if network is available and will start main chat program)

d) "X-driver" (regarding help file driver allow you to show your desktop to the other chat users)

Installation procedure does not give you any options for "custom install".


I need to accomplish one simple task: after installation to ensure that "bank" user is secured:

My questions are:
1. how to do monitoring during installation procedure in order to understand about all new drivers, new services, new programs.

2. how to check what are current access rights of these new drivers, new services, new programs

3. how to change access rights in order to secure my "bank" user

Mainly - what is right procedure, right settings and right tools to accomplish this task.


So: do you think it is wrong example? do you think this is possible? but it is difficult? Or it is more easy in Linux?


Thank you in advance.
Kind regards.