Implementing a Qubes OS productive laptop

Implementing a Qubes OS productive laptop

Rocco Gagliardi
by Rocco Gagliardi
time to read: 11 minutes

At work, do you use a single computer to accomplish all tasks? Or do you have dedicated machines, in order to minimize the exposure of data with different sensitivity? Is a physical separation the right answer to the security issues posed by the execution, in the same environment, of different tasks? (Software compartmentalization vs. physical separation).

Since more than a decade, virtualization is helping the IT architect to separate applications from applications and applications from data, making services easier to maintain and optimizing the data center hardware resources.

As example, we built a log appliance named HERON, designed and implemented using virtual machines (VMs) to minimize and better control the exposure of data and services. Our solution was focused on the server side, with a small user interaction, so relative easy.

Qubes OS tries to achieve the same on the other side of the cable: the client machine, where the user is the primary focus and the biggest problem.

I played with Qubes OS since many years, and, with the release 3, I decided to use it as my main machine for both business and private use. In this article, I will concentrate on the most difficult part of the task: how to approach the organization of the resources, in order to make the solution usable for daily business.

What’s the goals

I want to use a single laptop to accomplish all my activity, from reading business mail to surf anonymous on ask.fm. Right: no obstacle to execute everything on a single laptop, using a preinstalled OS and the standard administrator account. Sure: We may create different accounts, one for business, one for private, and one for anonymity, but – first – we must switch between accounts, and – second – the underlying software remains still the same, with all problems in case of compromise of one profile.

It would be great to have dedicated machines, one for each different task, but – normally – data must be transferred between applications, and if we physically separate them, the user starts to search creative methods to accomplish the data transfer and in many cases the security will decrease.

If we could have a single hardware, and display each application we use, from the different VMs, on the same desktop? That’s exactly what Qubes OS is designed for: run a series of different separated VMs and display the result on a single desktop (the _dom0_-desk) like on a single OS.

Advantages

Security! Imagine a grand prairie, you are building the OS Corral. First, the VMs are virtually separated; if a VM is compromised, there is a good change that the others remains safe.

Second, the point of contacts between the domains are minimized: only the network and firewall VMs are in touch with the dangerous Any, all other VMs are protected by the firewall-VM. This reduces the exposed code to drivers and software used by the firewall-VM; all the code used by other OS/Application running on other VMs, are never exposed directly to Internet.

As example, even the Untrusted-VM, normally hosting the browser for Internet access, exposes the browser code to Internet but not directly the NIC-driver.

This adds an additional layer of security to the system, reducing the points of contact between the domains to the virtualization OS and the display engine.

Disadvantages

Complexity is increased. In fact, Qubes OS builds an entire network security infrastructure to run applications, this infrastructure must be tuned and maintained.

Some usability costs. For the OS, the user is a process; so, if you want to limit what a generic process can do on the system, the user is also affected.

Some hardware costs. The hardware must support virtualization, so you cannot use low-level hardware. In addition, a reasonable amount of memory and storage is required.

How it works

I will not describe how Qubes OS works; just download, install and try it, it’s the better way. You can start reading Qubes OS

Basically, it’s a bare metal OS running the hypervisor (XEN) to take advantage of the virtualization features of modern CPUs (VT-x/d). There are other specifically designed pieces of software for the device management (emulators) and for the application visualisation.

Note that the security inside the VMs remains basically the same. An application running in the VMs is not necessary more secure than the equivalent running in a normal Linux. All normally applicable security measures, must be implemented in the VMs as usual.

How to start

Before creating domains, it is necessary to plan what to put where and define what should communicate in which direction; for all data transfer operation between each domain! Therefore not just network operations, but also clipboard operation or transfers via external devices.

I started listing my tasks, then add some categories to each task, and define the destination and the interactions with other components.

Work Task Description
Email Access our mail server via browser
Wiki Access (R/W) company wiki
Documents Use Microsoft Office apps (/P/A, Visio) to deal with documents stored on our data server
Admin Administer company infrastructure on internal servers via ssh/https/rdp
Admin Administer company infrastructure on external servers via ssh/https
Development Write code and test on test environments (SVN check-in/out)
Archives Useful documents, not daily need
Private Task Description
Email Access private mails
Documents Use Microsoft Office apps (Visio + Access) to deal with specific documents stored on private / public clouds
Admin Administer private infrastructure via ssh/https/rdp
Blog Administer private blog
Financial Use private banking to execute payments
Shopping Online Use the browser to shop online (use of credit cards)
Browsing for Research May encounter some weird sites
Browsing for Entertainment Twitter, Facebook

Implementation

As hardware, I use a Lenovo T420s, i7, 16GB RAM and 256 SSD.

For the initial phase, I’m pretty happy with the Fedora distros; additionally, I installed a Windows 7 and relative tools, and a BSD.

Creating domains

Based on the preceding lists, following domains will be created:

Domain Pourpose
Secure Running a very small number of applications, accessing a small number of data locations and no hardware access, strict copy&paste policy
Personal Running a limited number of applications, accessing a limited number of data locations and hardware resources
Work Running Windows applications, accessing company network shares, accessing company network trough VPN
Untrusted Running browser and other application to access all non-trusted destinations

Network Rules

Basically, for personal and work domains, I prefer to switch the network policy from a black to a white list: deny all and allow just what I need. This is the same procedure I use on my laptops with personal firewalls; even if annoying, after a few days of use, the rulebase is pretty complete, and I have known – more or less – where an application is going.

Copy & Paste rules

Additionally, I prefer to restrict the Copy & Paste behavior between domains.

Domain FW Policy Secure Personal Work Untrust
Secure drop all, allow banks Not Applicable Allowed Not Allowed Not Allowed
Personal drop all, allow trusted sites Not Allowed Not Allowed Allowed Not Allowed
Work drop all, allow company nets Not Allowed Allowed Not Applicable Not Allowed
Untrusted allow all Not Allowed Allowed Not Allowed Not Applicable

Additions

Adding Whonix, for anonymous surfing. This article explains how to install Whonix in Qubes OS.

Configure the authentication with Yubikey; even if I’m lukewarm about Yubikey, my colleague Andrea gave me one, and I’m trying to use it. This article explains how to use Yubikey with Qubes OS.

Problems / Solutions

The solution has some costs. The usual work behavior must be adapted to the new environment. A few examples:

Summary

Qubes OS uses virtualization to separate and better control the access on data of different sensitivity, and reduce the exposure of the system separating each application in a restricted area.

Making it at client level, involves the creation of software specifically designed to intercept and control the interaction with the user, while keeping the system itself usable; this is hard part. The user, on the other side, must be prepared to think and operate in different manner as usual.

As long as hypervisor makes the job right, this is a good way to go when the security is a primary focus.

About the Author

Rocco Gagliardi

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

You want to test the security of your firewall?

Our experts will get in contact with you!

×
Enhancing Data Understanding

Enhancing Data Understanding

Rocco Gagliardi

Transition to OpenSearch

Transition to OpenSearch

Rocco Gagliardi

Graylog v5

Graylog v5

Rocco Gagliardi

auditd

auditd

Rocco Gagliardi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here