Browse DevX
Sign up for e-mail newsletters from DevX


Make A Virtual Machine Your Safe Internet-Browsing Sandbox : Page 2

Browsing unknown Web sites puts your system at risk for malware infection. Using a virtual machine as a sandbox for safer browsing provides an additional layer of security for your machine.


Enabling Network Access

Virtual PC provides two options for enabling network access via the host machine's network adapter, using either the host network adapter itself or shared networking. These options are the last two in the dropdown list of networking options in the Virtual PC settings (see Figure 3). The second from the last option (using the host network adapter) is different on every machine because it is the description of the network adapter on the physical host machine.

Click to enlarge 
Figure 3. Networking Options for Host Machine's Network Adapter

Enabling the host's network adapter causes the guest machine to appear on the network as a separate machine with its own IP address. From a networking perspective, the guest functions the same way as a physical machine equipped with a network adapter. This is typically fine for a home network, but may not work in a corporate environment with a Windows domain because unless the guest machine joins the domain, it will not be authorized and may not be able to use the network. (Note: wireless networking and dialup do not work with a host network adapter.)

The other option to enable network access is Shared networking (NAT), which is referred to simply as NAT in VMware Workstation. With Shared networking enabled, Virtual PC serves as a NAT router that uses the host's IP address to access the network. Since all network access is routed through the host, you can establish network access in a tightly controlled domain. If the host is authorized to use the network, then Shared networking uses the host to connect to the network and then to the Internet. If multiple network adapters are available, you can configure Shared networking only on the first one. A guest using Shared networking cannot communicate with other guest machines on the same host. (Note: wireless networking and dialup do work with Shared networking.)

Regardless of which networking option you choose, if Windows Firewall is enabled only on the host, it will not protect the guest. You must enable Windows Firewall within the guest as well to ensure maximum protection.

Mitigating Risk

Virtual PC Shared Folders are host local drives or folders that appear as mapped drives, and they actually are functionally equivalent to mapped drives (see Figure 4). A guest machine used to browse the Internet should not use the Shared Folders feature or have any drives mapped. Network drives on the host cannot be shared using Shared Folders, and any type of drive mapping exposes the host filesystem to guest malware that targets mapped drives.

Click to enlarge 
Figure 4. Media Is a Virtual PC Shared Folder; c$ Is a Mapped Drive to the Host Machine

Remember, the objective is to keep the host safe from any malware that may affect the guest, so don't connect the host's filesystem to the guest. However, at some point, you may want to use the guest's browser to download a file from the Internet and make it available to the host. The safest way to do this is to use Virtual PC's drag and drop feature to transfer files between guest and host because it does not open up a TCP/IP connection between them.

Keeping a guest machine up to date with all Windows Updates, service packs, and security patches is just as important as keeping the host machine up to date. It's easy for a guest machine to get behind on updates because it typically is turned off most of the time. It has to be running to receive updates and they must not be undone when the machine is turned off. Finally, when you are actively using a virtual machine for malware analysis, consider setting your VHD files to read-only to keep any changes inside your virtual machine from being made permanent.

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date