VirtualBox: better to use NAT or Bridged Adapter for a malware test machine?

Hi MrBrian,

I just set up my VMWare build #8 guest with NAT and Jetico firewall on the host machine intercepts all network traffic attempts from the guest's vmnat.exe process, including both udp and tcp protocols as well as icmp attempts either outbound or to the host's ip address.

EDIT

as a quick test I shutdown Jetico fw and enabled Windows 7 fw, created a block inbound icmp v4 then pinged the host from guest vm and I received replies successfully, so it appears Windows fw does not block the guest vm in NAT mode.

 

@wat0114: Interesting; thanks for the tests . When you tested the built-in firewall, what network location were you using for the host's network (Public, Work, Home)?

 

Public profile.

 

This happens (I think) because Windows Firewall and Jetico firewall work at different levels in the stack. And because VBox must inject traffic at some point in order for virtual NAT to work, and if that injection point is at a point where the traffic doesn't pass through Windows Firewall, then you get the result from the experiment.

 

Yes, I think you're right. I mentioned something along those lines regarding Jetico's low level monitoring in a different thread.

 

I just tried some simple outbound block rules in the built-in Windows firewall for guests, and, believe it or not, they seemed to block traffic to other local machines (including the host), while preserving internet access. This worked for both Bridged Adapter and NAT. For example, using Bridged Adapter, my guest Windows firewall rule is block outbound from Local addresses 192.168.1.0/24 to Remote addresses 192.168.1.0/24.

 

Thanks for the links and tips on pfsense, but it sems like it might be more work and resource usage than is worth any security gains - if any - it has over just using bridged mode and a firewall on both the guest and host machines.

 

For normal use you are correct. But the OP talked about "a malware test machine", so the situation is a bit different. You cannot rely on a firewall installed in the same machine where you intend to run malware.

 

Maybe, but I'd have no problems using firewalls of Jetico's strength on both machines, a recent image on hand if needed. I keep nothing of sensitive personal nature on either too.

 

Tutorial for safer VirtualBox networking

 

I deleted those posts because I made a new tutorial .

If anyone wants the document from the first post that I deleted: https://docs.google.com/file/d/1oiI...08CI0hmbKElmWPTDSmHZtMuiAKO_otFddF/edit?pli=1.

 

You're welcome .

If one doesn't want to do the pfSense thing, then perhaps use the advice in post #31 to protect the host better. However, I like not having to worry about open ports on the host anymore . Also, what Nebulus said.

 

I remember a year or so ago using nMap and probing host from guest and not finding any open ports.

 

Good . Be aware though that by default Nmap doesn't scan all ports. For a simpler port scanner, I now like Advanced Port Scanner the most.

 

I don't know what proportion of malware tries to spread via vulnerabilities in programs that have ports open, but there are some. Example: from paper hxxp://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf on the Uroburos malware:

 

That one looks familiar to me. I might have even used that one as well. I remember setting the options to scan all ports.