At work, do you use a single computer to accomplish all tasks? Or do you have dedicated machines, in order to minimize the exposure of data with different sensitivity? Is a physical separation the right answer to the security issues posed by the execution, in the same environment, of different tasks? (Software compartmentalization vs. physical separation).
Since more than a decade, virtualization is helping the IT architect to separate applications from applications and applications from data, making services easier to maintain and optimizing the data center hardware resources.
As example, we built a log appliance named HERON, designed and implemented using virtual machines (VMs) to minimize and better control the exposure of data and services. Our solution was focused on the server side, with a small user interaction, so relative easy.
Qubes OS tries to achieve the same on the other side of the cable: the client machine, where the user is the primary focus and the biggest problem.
I played with Qubes OS since many years, and, with the release 3, I decided to use it as my main machine for both business and private use. In this article, I will concentrate on the most difficult part of the task: how to approach the organization of the resources, in order to make the solution usable for daily business.
I want to use a single laptop to accomplish all my activity, from reading business mail to surf anonymous on ask.fm. Right: no obstacle to execute everything on a single laptop, using a preinstalled OS and the standard administrator account. Sure: We may create different accounts, one for business, one for private, and one for anonymity, but – first – we must switch between accounts, and – second – the underlying software remains still the same, with all problems in case of compromise of one profile.
It would be great to have dedicated machines, one for each different task, but – normally – data must be transferred between applications, and if we physically separate them, the user starts to search creative methods to accomplish the data transfer and in many cases the security will decrease.
If we could have a single hardware, and display each application we use, from the different VMs, on the same desktop? That’s exactly what Qubes OS is designed for: run a series of different separated VMs and display the result on a single desktop (the _dom0_-desk) like on a single OS.
Security! Imagine a grand prairie, you are building the OS Corral. First, the VMs are virtually separated; if a VM is compromised, there is a good change that the others remains safe.
Second, the point of contacts between the domains are minimized: only the network and firewall VMs are in touch with the dangerous Any, all other VMs are protected by the firewall-VM. This reduces the exposed code to drivers and software used by the firewall-VM; all the code used by other OS/Application running on other VMs, are never exposed directly to Internet.
As example, even the Untrusted-VM, normally hosting the browser for Internet access, exposes the browser code to Internet but not directly the NIC-driver.
This adds an additional layer of security to the system, reducing the points of contact between the domains to the virtualization OS and the display engine.
Complexity is increased. In fact, Qubes OS builds an entire network security infrastructure to run applications, this infrastructure must be tuned and maintained.
Some usability costs. For the OS, the user is a process; so, if you want to limit what a generic process can do on the system, the user is also affected.
Some hardware costs. The hardware must support virtualization, so you cannot use low-level hardware. In addition, a reasonable amount of memory and storage is required.
I will not describe how Qubes OS works; just download, install and try it, it’s the better way. You can start reading Qubes OS
Basically, it’s a bare metal OS running the hypervisor (XEN) to take advantage of the virtualization features of modern CPUs (VT-x/d). There are other specifically designed pieces of software for the device management (emulators) and for the application visualisation.
Note that the security inside the VMs remains basically the same. An application running in the VMs is not necessary more secure than the equivalent running in a normal Linux. All normally applicable security measures, must be implemented in the VMs as usual.
Before creating domains, it is necessary to plan what to put where and define what should communicate in which direction; for all data transfer operation between each domain! Therefore not just network operations, but also clipboard operation or transfers via external devices.
I started listing my tasks, then add some categories to each task, and define the destination and the interactions with other components.
|Access our mail server via browser|
|Wiki||Access (R/W) company wiki|
|Documents||Use Microsoft Office apps (W/E/P/A, Visio) to deal with documents stored on our data server|
|Admin||Administer company infrastructure on internal servers via ssh/https/rdp|
|Admin||Administer company infrastructure on external servers via ssh/https|
|Development||Write code and test on test environments (SVN check-in/out)|
|Archives||Useful documents, not daily need|
|Access private mails|
|Documents||Use Microsoft Office apps (Visio + Access) to deal with specific documents stored on private / public clouds|
|Admin||Administer private infrastructure via ssh/https/rdp|
|Blog||Administer private blog|
|Financial||Use private banking to execute payments|
|Shopping Online||Use the browser to shop online (use of credit cards)|
|Browsing for Research||May encounter some weird sites|
|Browsing for Entertainment||Twitter, Facebook|
As hardware, I use a Lenovo T420s, i7, 16GB RAM and 256 SSD.
For the initial phase, I’m pretty happy with the Fedora distros; additionally, I installed a Windows 7 and relative tools, and a BSD.
Based on the preceding lists, following domains will be created:
|Secure||Running a very small number of applications, accessing a small number of data locations and no hardware access, strict copy&paste policy|
|Personal||Running a limited number of applications, accessing a limited number of data locations and hardware resources|
|Work||Running Windows applications, accessing company network shares, accessing company network trough VPN|
|Untrusted||Running browser and other application to access all non-trusted destinations|
Basically, for personal and work domains, I prefer to switch the network policy from a black to a white list: deny all and allow just what I need. This is the same procedure I use on my laptops with personal firewalls; even if annoying, after a few days of use, the rulebase is pretty complete, and I have known – more or less – where an application is going.
Additionally, I prefer to restrict the Copy & Paste behavior between domains.
|Secure||drop all, allow banks||Not Applicable||Allowed||Not Allowed||Not Allowed|
|Personal||drop all, allow trusted sites||Not Allowed||Not Allowed||Allowed||Not Allowed|
|Work||drop all, allow company nets||Not Allowed||Allowed||Not Applicable||Not Allowed|
|Untrusted||allow all||Not Allowed||Allowed||Not Allowed||Not Applicable|
Adding Whonix, for anonymous surfing. This article explains how to install Whonix in Qubes OS.
Configure the authentication with Yubikey; even if I’m lukewarm about Yubikey, my colleague Andrea gave me one, and I’m trying to use it. This article explains how to use Yubikey with Qubes OS.
The solution has some costs. The usual work behavior must be adapted to the new environment. A few examples:
Qubes OS uses virtualization to separate and better control the access on data of different sensitivity, and reduce the exposure of the system separating each application in a restricted area.
Making it at client level, involves the creation of software specifically designed to intercept and control the interaction with the user, while keeping the system itself usable; this is hard part. The user, on the other side, must be prepared to think and operate in different manner as usual.
As long as hypervisor makes the job right, this is a good way to go when the security is a primary focus.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here