[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] isolation between VM's
 Date:  Mon, 21 Mar 2005 12:44:54 -0500
On Mon, 21 Mar 2005 17:19:33 +0800, John Lewis <john at bea dot com dot au> wrote:
> What effective level of isolation is there between VM's ?

Assuming you're talking about VMware here.  This is more appropriate
for a VMware forum and you might get better help there, but I'll
answer from my VMware experience.

Assuming there aren't any security issues in VMware with memory and
other isolation, VM's and the host machine can't affect each other any
more than any other network attached hosts could.  If you're loading
up a network-based worm or something similar, it can go as far as you
let network traffic from that VM go.  VMnets are segregated from each
other, but each individually acts like a hub - i.e. you could throw a
sniffer on any VMnet and see all the traffic on that net.

> Ie. If Mono is installed, then many VM's using either NAT or bridge
> mode, and I install malicious software on one VM, will this allow them
> access to other VM's ?

On the same VMnet, yes.  Or in bridged or NAT mode (that's a very bad
idea for reverse engineering malware purposes, sounds like that's what
you want to do) it'll have access to your entire LAN (or whatever
you're bridging/NAT'ing it to).  Stick with VMnets in these

Anything on the same VMnet as the infected host will be just like
having two physical systems on the same network hub, so watch what you
put on that VMnet.

> Chrooting does not seem to be of help here, so do you need a message box
> to popup showing you traffic that is moving between VM's ?

The only way you could accomplish this is to put a sniffer on the
VMnet.  I like to use FreeSBIE (www.freesbie.org) VM's for this
purpose for ease of setup.  Throw one on the VMnet of the "bad" VM and
run tcpdump using appropriate filters.