Tutorial for safer VirtualBox networking

Discussion in 'sandboxing & virtualization' started by MrBrian, Mar 3, 2014.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    This is a tutorial for setting up VirtualBox so that all of the following conditions are met:
    A. Virtual machines can't send traffic to the host, physical router, etc.
    B. Host can't send traffic to virtual machines.
    C. Virtual machines can send traffic to each other if allowed by the software firewalls (if any) in the virtual machines.
    D. Virtual machines have internet access via the host.

    See VirtualBox: better to use NAT or Bridged Adapter for a malware test machine? for a discussion of what's wrong security-wise with the networking capabilities built into VirtualBox.

    You may wish to read this entire thread before doing anything, since I won't be able to alter this post after a certain amount of time has passed.

    1. Download guide (in pdf format) at hxxp://magikh0e.ihtb.org/pubPapers/Penetration_Testing_LAB_Setup_Guide-iab.pdf .

    2. Download pfSense "Live CD with Installer" for your computer architecture. pfSense will be used as a virtual router.

    3. Create a new virtual machine for pfSense. See p. 7 in guide. The guide suggests 512 MB of memory; I use 256 MB. See https://www.pfsense.org/hardware/index.html#requirements for minimum memory requirements. Version should be either "FreeBSD" or "FreeBSD (64 bit)," corresponding with the computer architecture of the download in tutorial step 2. I recommend to change the boot order of Hard Disk to be first in the list.

    4. Do guide steps 1 and 2 on pp. 8-9. The guide suggests using Promiscuous Mode=Allow VMs, but I believe that the safer setting of Deny also works fine for both network adapters.

    5. Do guide step 3 on p. 9. When prompted for a start-up disk, choose the file downloaded in tutorial step 2. In guide step 3 iv, choose the default kernel setting.

    6. Do guide step 4 on p. 10.

    7. Do guide step 5 on p. 10. If asked about "new LAN IPv4 gateway address", press <Enter> for none. If asked about "new LAN IPv6 address," press <Enter> for none.

    8. Press 5 to reboot pfSense.

    9. Press 7 to ping a web server to see if pfSense has internet connectivity. You can ping www.google.com.

    10. Choose a virtual machine that you want to connect to pfSense. Remove all virtual network adapters from it except for one. Attach the virtual network adapter to Internal Network. The guide suggests using Promiscuous Mode=Allow VMs, but I believe the safer choice of Deny also works. Start the virtual machine. At a command prompt, type ipconfig; check that IPv4 Address is in the range specified in tutorial step 7. Browse the web to verify internet connectivity.

    11. In the virtual machine in tutorial step 10, use a web browser to browse 192.168.12.1. This should open the pfSense administrative interface. Default Username=admin. Default Password=pfsense. Go through the setup wizard; change the admin password at the appropriate step.

    12. Now we'll add pfSense firewall rule(s) so that any virtual machine connected to pfSense can't send traffic to your host computer or other local devices. You can use ipconfig in a command prompt on the host to find its IPv4 address and subnet mask. Add this rule: Action=Block; Interface=LAN; TCP/IP Version=IPv4; Protocol=Any; Source Type=LAN subnet; Destination Type=Network; Destination Address=(fill in yours; mine is 192.168.1.1 / 24). Move this rule as far to the top as possible, since rule order matters. You might need multiple rules. My LAN rules look like this:

    rules.png

    13. Repeat tutorial step 10 for any other virtual machines that you wish to connect to pfSense.

    The end.

    Feedback welcome :).
     
    Last edited: Mar 3, 2014
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You can use Hercules to test if data can be sent to a given TCP port at a given IP address. Use its TCP Server to listen on a given computer's port. Use its TCP Client to (try to) send data to a port. The TCP Server window will show any data sent by the TCP Client to the listening TCP port.
     
    Last edited: Mar 3, 2014
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've changed my pfSense firewall rules from what was in tutorial step 12. Here are my current firewall rules:
    rules2.png
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Note: failure of a ping to a given IP address isn't sufficient to show that there is no connectivity to that IP address. You should use Hercules to test.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I added another block rule to those in post #3 because the existing ruleset didn't block traffic to my modem's administrative page.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I updated my pfSense virtual machine to the latest pfSense version, because some older pfSense versions are vulnerable to Heartbleed. pfSense can be updated by choosing option "13) Upgrade from console."
     
    Last edited: May 16, 2014
Loading...
Thread Status:
Not open for further replies.