At work, do you use a single computer to accomplish all tasks? Or do you have dedicated machines, in order to minimize the exposure of data with different sensitivity? Is a physical separation the right answer to the security issues posed by the execution, in the same environment, of different tasks? (Software compartmentalization vs. physical separation).

Since more than a decade, virtualization is helping the IT architect to separate applications from applications and applications from data, making services easier to maintain and optimizing the data center hardware resources.

As example, we built a log appliance named HERON, designed and implemented using virtual machines (VMs) to minimize and better control the exposure of data and services. Our solution was focused on the server side, with a small user interaction, so relative easy.

Qubes OS tries to achieve the same on the other side of the cable: the client machine, where the user is the primary focus and the biggest problem.

I played with Qubes OS since many years, and, with the release 3, I decided to use it as my main machine for both business and private use. In this article, I will concentrate on the most difficult part of the task: how to approach the organization of the resources, in order to make the solution usable for daily business.

What’s the goals

I want to use a single laptop to accomplish all my activity, from reading business mail to surf anonymous on ask.fm. Right: no obstacle to execute everything on a single laptop, using a preinstalled OS and the standard administrator account. Sure: We may create different accounts, one for business, one for private, and one for anonymity, but – first – we must switch between accounts, and – second – the underlying software remains still the same, with all problems in case of compromise of one profile.

It would be great to have dedicated machines, one for each different task, but – normally – data must be transferred between applications, and if we physically separate them, the user starts to search creative methods to accomplish the data transfer and in many cases the security will decrease.

If we could have a single hardware, and display each application we use, from the different VMs, on the same desktop? That’s exactly what Qubes OS is designed for: run a series of different separated VMs and display the result on a single desktop (the _dom0_-desk) like on a single OS.

Advantages

Security! Imagine a grand prairie, you are building the OS Corral. First, the VMs are virtually separated; if a VM is compromised, there is a good change that the others remains safe.

Second, the point of contacts between the domains are minimized: only the network and firewall VMs are in touch with the dangerous Any, all other VMs are protected by the firewall-VM. This reduces the exposed code to drivers and software used by the firewall-VM; all the code used by other OS/Application running on other VMs, are never exposed directly to Internet.

As example, even the Untrusted-VM, normally hosting the browser for Internet access, exposes the browser code to Internet but not directly the NIC-driver.

This adds an additional layer of security to the system, reducing the points of contact between the domains to the virtualization OS and the display engine.

Disadvantages

Complexity is increased. In fact, Qubes OS builds an entire network security infrastructure to run applications, this infrastructure must be tuned and maintained.

Some usability costs. For the OS, the user is a process; so, if you want to limit what a generic process can do on the system, the user is also affected.

Some hardware costs. The hardware must support virtualization, so you cannot use low-level hardware. In addition, a reasonable amount of memory and storage is required.

How it works

I will not describe how Qubes OS works; just download, install and try it, it’s the better way. You can start reading Qubes OS

Basically, it’s a bare metal OS running the hypervisor (XEN) to take advantage of the virtualization features of modern CPUs (VT-x/d). There are other specifically designed pieces of software for the device management (emulators) and for the application visualisation.

Note that the security inside the VMs remains basically the same. An application running in the VMs is not necessary more secure than the equivalent running in a normal Linux. All normally applicable security measures, must be implemented in the VMs as usual.

How to start

Before creating domains, it is necessary to plan what to put where and define what should communicate in which direction; for all data transfer operation between each domain! Therefore not just network operations, but also clipboard operation or transfers via external devices.

I started listing my tasks, then add some categories to each task, and define the destination and the interactions with other components.

Implementation

As hardware, I use a Lenovo T420s, i7, 16GB RAM and 256 SSD.

For the initial phase, I’m pretty happy with the Fedora distros; additionally, I installed a Windows 7 and relative tools, and a BSD.

Creating domains

Based on the preceding lists, following domains will be created:

Network Rules

Basically, for personal and work domains, I prefer to switch the network policy from a black to a white list: deny all and allow just what I need. This is the same procedure I use on my laptops with personal firewalls; even if annoying, after a few days of use, the rulebase is pretty complete, and I have known – more or less – where an application is going.

Copy & Paste rules

Additionally, I prefer to restrict the Copy & Paste behavior between domains.

Additions

Adding Whonix, for anonymous surfing. This article explains how to install Whonix in Qubes OS.

Configure the authentication with Yubikey; even if I’m lukewarm about Yubikey, my colleague Andrea gave me one, and I’m trying to use it. This article explains how to use Yubikey with Qubes OS.

Problems / Solutions

The solution has some costs. The usual work behavior must be adapted to the new environment. A few examples:

• Copy and paste between domains need additional steps to be accomplished
• Idem for file transfer
• Operations like start a PayPal payment from a sell site, cannot be accomplished automatically without breaking some rules
• Using hardware requires also additional configuration steps

Summary

Qubes OS uses virtualization to separate and better control the access on data of different sensitivity, and reduce the exposure of the system separating each application in a restricted area.

Making it at client level, involves the creation of software specifically designed to intercept and control the interaction with the user, while keeping the system itself usable; this is hard part. The user, on the other side, must be prepared to think and operate in different manner as usual.

As long as hypervisor makes the job right, this is a good way to go when the security is a primary focus.

About the Author

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• http://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf
• https://vuldb.com/?id.78957
• https://www.qubes-os.org
• https://www.qubes-os.org/doc/whonix/
• https://www.qubes-os.org/doc/yubi-key/