VM's networking mode vs. host OS's security? NAT ...

s82476 · ‎03-13-2015

Ladies / Gents,

BACKGROUND:

-I run an old Macbook (see below for specs) with a barebones OS X installation plus a few utility programs purchased from Apple's "App Store", an antivirus/internet security package, and an anti-malware package. Every piece of software is 100% purchased, paid for, not at all pirated.

-Inside this OS X host I run multiple different VMs (usually only one at a time) for tinkering, working, learning. Telling you which OS'es I'm specifically running should be irrelevant to my forthcoming questions.

-I want to keep my host OS X as "light" as possible so as to get the best possible performance out of my VMs. I do EVERYTHING inside the VMs. I don't browse the web, run an email client, or have any office/productivity software installed on the host OS X.

-I want to keep my host OS X as un-exposed to any malware / viruses that one of my virtual machines might acquire. I want to provide my host OS X the best protection from any potentially-contaminated internet traffic I bring in to my VMs.

PRIORITIES: (from highest priority to lowest priority)

1. Security for the host OS X installation. I want to eliminate every possible avenue by which malicious software could contaminate my host OS X installation and/or any of the laptop's firmware.

2. Security of my data. I want to reduce the possibility that malicious software in one of my VMs could access my data and compromise it. I'd rather have my data corrupted than compromised. I can restore corrupted data from a backup. I can't un-compromise data that's been transmitted outside my computer.

3. Security of the individual VM OS installations. I do everything inside VMs, so they have to be exposed. But I want them as secure as possible while exposed - ultimately so as to protect my data and my host OS X installation.

4. Performance of the individual VMs. It's a priority, it's important to me, but I'm not willing to sacrifice much (if any) security for it.

QUESTIONS:

Q1: To protect my host OS X from viruses/mal-ware I might inadvertently pull in to my VMs, should I set up my VMs to connect to the internet using NAT mode or Bridged mode?

Q2: Is it possible for me to completely disable my host OS X's network / internet access through my wifi adapter while still allowing my VMs to connect to the internet through the wi-fi adapter?

Q3: Would I completely isolate (and protect) my host OS X from the VM's internet traffic if I move all of the VM's internet traffic through a VPN connection between the VM and an OS on another physical computer? Is that even possible? I assume it is, but I don't know how to do it.

Q4: Can I manipulate my host OS X's firewall software and/or the firewall software running inside each of my VMs to come as close as possible to preventing a VM's internet traffic from contaminating the host OS X?

Q5: If I were to purchase a USB Wifi stick, could I allow the VMs to connect to/through it and control it while isolating the host OS X from its traffic? Similar to the way VMWare can pass access and control of USB storage devices to the VM while not allowing the host OS access to it....?

Q6: Of the ideas in Q2, Q3, Q4, and Q5, what is the single most-effective method of accomplishing my goals? Can I combine some of those methods together to make my host OS even more secure? Can I implement more than one of those ideas simultaneously to make my host OS X as secure as possible?

I would be perfectly happy only allowing the host OS X to connect to the network/internet through the computer's ethernet port, so that I had extreme control over its exposure to external vulnerabilities. I envision only connecting it once/week or so to update my host OS X installation and its security software, and maybe download a new utility application i decide i want.

--------------------------------------------------------------------------

MY LAPTOP'S SPECS:

Macbook 5,1 13" Aluminum, Late-2008.

Core 2 Duo 2.4GHz processor.

8 GB 1067 MHz DDR3 RAM.

DVD/CD drive removed, accessible through USB connection only.

2 x 1TB Samsung 840 EVO SSDs (3Gb/s throughput).

2 x USB 2.0 ports,

1 x mini-displayport video output port,

1 x 1.0Gbps ethernet port.

NVIDIA GeForce 9400M 256 MB.

1 x 802.11a/b/g/n Wi-Fi adapter.

1 x Bluetooth adapter.

-------------------------------------------------------------------------

Any help much appreciated.

Thanks all,

S.

s82476 · ‎03-17-2015

Quick update....I purchased a cheap-O USB wifi adapter and was able to pull internet services directly into a VM through that adapter, without those services being routed through the host. I'm able to get internet in a VM while the host has zero internet connectivity whatsoever.

I would still like to know if I can somehow do this through the laptop's internal wifi adapter, so I don't have to consume one of my two USB ports with a wi-fi adapter.

I do have another question now.......if I have a Windows VM drawing internet services through a USB wifi device while the laptop's internal wifi adapter is disabled and its ethernet port has nothing plugged into it, how do I make that Windows VM "serve" those internet services to the host OS X installation? Is that possible?

Screenshot attached to this post shows the host OS X network settings window with all network adapters disabled, the guest Win10 VM network settings indicating that its wifi is on and has 4 of 5 bars connection quality, and the host Macbook "System Report" showing that the host knows that it has a Linksys wifi adapter connected to its USB port and is passing the connection to a VMWare guest.

Thanks,

S.

All

VM's networking mode vs. host OS's security? NAT vs. Bridged? USB Wi-fi device? VPN?