Faize
Enthusiast
Enthusiast

How secure would a Windows XP guest with host-only networking be?

Jump to solution

My interpretation of the documentation is that such a VM would be as secure as one having no network adapter at all, but it doesn't hurt to double check to make sure I'm not somehow exposing the host/other guests/etc. to threats without being aware of it...

1 Solution

Accepted Solutions
RDPetruska
Leadership
Leadership

I haven't played with this in a while, so I'm surprised you can't select any of the 10 VMnets in the Custom selection.  But yes, that looks correct for the VNE.

P.S. There has never been a specific selection labeled "guest-only", it's what some of us long-timers have named it.  But it describes exactly what it does.

You could also try editing the vmx files by hand and specifying one of the other VMnets, even if the drop-down won't let you pick it.

View solution in original post

0 Kudos
7 Replies
bluefirestorm
Virtuoso
Virtuoso

As the saying goes "A chain is only as strong as its weakest link"; the same applies for security in networked computer systems. So if you transfer files between host and guest via other means such as copy/paste or USB thumb drive, these are also considered possible attack surface/vectors between guest VM and host.

In case that the XP VM is connecting to a Host Only virtual switch because inside the XP VM some software/application requires some active network/IP address, the Microsoft Loopback Adapter can be used as an alternative to virtual NIC. This isolates further the XP VM from the host at least in terms of network. You can add the Microsoft Loopback Adapter as a new network hardware from Device Manager.

Faize
Enthusiast
Enthusiast

Thanks bluefirestorm. What is needed in my scenario is for the XP VM to network with another, identical XP VM (one is cloned from the other, to be precise). Neither will ever need to network with the host, but I can't figure out what the VMware equivalent of a crossover cable is, so host-only networking sounds like the closest fit, though I'd love to be corrected here.

0 Kudos
RDPetruska
Leadership
Leadership

Use a guest-only network (one of the unused VMnet switches)... pick "Custom" network type, and specify the same VMnet for each guest.

Faize
Enthusiast
Enthusiast

Not sure I understood entirely, but would this be the correct way to set it up in the Virtual Network Editor (there's no guest-only option)?

Setup.png

And then for each VM I would go Settings -> Network Adapter, pick the Custom radio button and then choose VMnet2 from the dropdown? It doesn't seem like I can just pick an unconfigured VMnet arbitrarily as VMnet0 and VMnet2 are the only options in the dropdown.

0 Kudos
RDPetruska
Leadership
Leadership

I haven't played with this in a while, so I'm surprised you can't select any of the 10 VMnets in the Custom selection.  But yes, that looks correct for the VNE.

P.S. There has never been a specific selection labeled "guest-only", it's what some of us long-timers have named it.  But it describes exactly what it does.

You could also try editing the vmx files by hand and specifying one of the other VMnets, even if the drop-down won't let you pick it.

View solution in original post

0 Kudos
bluefirestorm
Virtuoso
Virtuoso

To minimise the risk of rogue program(s) roaming between host and VMs in the "Host only virtual switch"; one possible way is to use fixed IP addresses on the VMs that belongs to a different subnet from the VMnetX that the VMs are connected to. For example, if you use VMnet3 that has 192.168.4.0/24 subnet, you could assign 192.168.7.0/24 IP addresses to the VMs so that traffic won't flow between host and VMs.

I haven't tried it but logically it should work as it should be similar to a physical switch where two machines belong to one subnet and won't be reachable by other machines attached to the same switch but belong to a different subnet.

Having said that, it does take quite a big security hole in either host or serious lapse in security in the VMs for some rogue program to be worming its way through a virtual switch.

Faize
Enthusiast
Enthusiast

So I manually edited the vmx files and was able to set the NICs to VMnet3. The machines now show "limited connectivity" and can only network each other Smiley Happy

Thanks RDPetruska and bluefirestorm for all your help!

0 Kudos