One of the things that is common when studying for a security certification exam, doing research or just doing general IT tasks may be downloading a virtual machine and running it on a host system. I’m sure that this works out fine most of the time. But what if you are doing something a little more risky such as detonating malware for research purposes, or downloading a virtual machine from vulnhub to help learn offensive security? Or maybe you just are a little paranoid and don’t trust a VM you haven’t set up yourself. I’m constantly surprised at the lack of understanding around virtual machine networking, and that people are willing to download and run untrusted virtual machines with network access to the host system and/or the wider internal network that the host is connected to, without taking necessary precautions.
In this post we will first discuss the different types of networking used by virtual machines as well as some of the security implications, we will then set up a locked down network that we can spin a virtual machine up on without the guest being able to access the host or the host being able to access the guest.
Types of Virtual Networking
This is the most commonly used type of networking. It allows a virtual machine guest to access any listening services on the host, but also potentially any computer on the internal network that the host is connected to. For our objectives this is the least desirable configuration.
This is probably the second most common type of networking. Like bridged it allows a virtual machine guest to access any listening service on the host but also potentially any computer on the internal network that the host is connected to. The only difference is that those other computers can’t access the guest VM(though the VM host can). This is a kind of segmentation, but it is not the kind we are looking for.
This is not a commonly used type of virtual machine networking. This configuration segments the guest from the network and vice-versa, however the guest can access the host and vice-versa. Because of this, it is not the solution we are looking for.
This configuration completely segments the host and guest, and only lets guests that are attached to this virtual network communicate with each other. This is the setting that we want, as any of the hosts open services will not be accessible to the guest.
Getting Started with VirtualBox Internal Networking
The first step is to open the virtual machines settings and go to the Network section of the settings. Then select “Internal Network” from the drop-down. Click OK.
You may think “I’m done right?”. Well probably not. One of the things that is weird about Internal Networking in VirtualBox is that it doesn’t do DHCP by default. In fact there is not currently a way to configure it via a GUI(unlike other host-only which can). To make sure that the guests that are attached to this network get an IP we are going to use VBoxManage(the CLI configuration tool for VirtualBox) to give our internal network a DHCP server. Do that with the following command.
VBoxManage dhcpserver add --netname intnet --ip 10.10.10.1 --netmask 255.255.255.0 --lowerip 10.10.10.2 --upperip 10.10.10.20 --enable
To explain what is going on here the “–netname” is the name of our internal network as configured above in the machine’s settings, in this case “intnet”. “–ip” is the starting IP of the range. “–netmask” determines the size of the range of potential IPs. The “–lowerip” and “–uperip” are the first and last IPs that will be handed out by our DHCP server on this internal network.
Once this is done you may need to cycle the network stack within the VM or restart it for it to get an IP.
Adding Internet and Network Access to a Trusted VM
What about if you put another virtual machine on this internal network to poke at the untrusted VM with and you want it to have some level of internet access to download updates or tools?
Simply connect “Adapter 1” to the internal network (if you haven’t already):
Then enable and connect “Adapter 2” to a NAT network or a Bridged network.
This configuration should allow this second more trusted VM to access the Internet over the NAT’d network and access the untrusted VM via the IP handed out on the 10.10.10.x network.
I hope this has helped you learn more about virtualization and network segmentation of virtual machines. Leave us a comment with any questions you may have or tutorials and content you would like to see. Thanks for stopping by and take a look at our other articles!