ecurity threats are an ever-present concern when using the Internet. Something as simple as browsing the Internet can introduce malware into a machine. Firewalls, antivirus, and antispyware software and good judgment must be exercised at all times. But no matter how well protected your system is and how careful you are, browsing unknown Web sites puts your system at risk. Consider the highly publicized Microsoft Graphics Rendering Engine Vulnerability. An unpatched system with this vulnerability is subject to being completely taken over by an attacker. Browsing an infected Web site can be enough for this vulnerability to be exploited. Using a virtual machine for Web browsing provides an excellent defense against this type of threat.

To understand how to use a virtual machine for safer browsing, first some terminology needs to be defined:

• The physical machine on which the virtualization application (e.g., Virtual PC, Virtual Server, VMware, Xen) resides is the host machine, as in the machine that hosts the virtual machine.
• A virtual machine is a guest machine.

The entire guest operating system and programs are written into a large virtual hard disk file that resides on the host machine. (Although the figures use Microsoft Virtual PC 2004, the concepts illustrated are generic and applicable to other virtualization products.)

Figure 1. Enabling Undo Disks

Undoing a Threat

The single most valuable feature of using a virtual machine for browsing is the undo capability. Microsoft implements this with its undo disks feature. The idea is simple: Whatever takes place in the guest machine, such as inadvertently downloading spyware, is written to another file instead of the principal virtual hard disk file where the OS and applications are installed. When the browsing session ends, the guest machine is turned off without saving any of the changes that occurred while it was running.

The undo disks feature is off by default, so you must enable it. The following steps show how to configure it:

1. Select a virtual machine in the Virtual PC Console.
2. Click the Settings button.
3. Select Undo Disks.
4. Check the Enable undo disks checkbox as shown in Figure 1 and then click the OK button.

Figure 2. Discarding Change to the Undo Disk

The advantage of using the virtual machine becomes apparent when you turn off the machine (see Figure 2).

By selecting the option Turn off and delete changes, you restore the virtual machine to the exact same state it was in before it was turned on. If any malware was downloaded, it will be in the undo disk file, which is discarded. The virtual hard disk where the operating system and programs reside is untouched.

In order for safe browsing to work, the virtual machine must connect to the network. How to configure networking in a virtual machine is covered in the next section.

Enabling Network Access

Virtual PC provides two options for enabling network access via the host machine's network adapter, using either the host network adapter itself or shared networking. These options are the last two in the dropdown list of networking options in the Virtual PC settings (see Figure 3). The second from the last option (using the host network adapter) is different on every machine because it is the description of the network adapter on the physical host machine.

Figure 3. Networking Options for Host Machine's Network Adapter

Enabling the host's network adapter causes the guest machine to appear on the network as a separate machine with its own IP address. From a networking perspective, the guest functions the same way as a physical machine equipped with a network adapter. This is typically fine for a home network, but may not work in a corporate environment with a Windows domain because unless the guest machine joins the domain, it will not be authorized and may not be able to use the network. (Note: wireless networking and dialup do not work with a host network adapter.)

The other option to enable network access is Shared networking (NAT), which is referred to simply as NAT in VMware Workstation. With Shared networking enabled, Virtual PC serves as a NAT router that uses the host's IP address to access the network. Since all network access is routed through the host, you can establish network access in a tightly controlled domain. If the host is authorized to use the network, then Shared networking uses the host to connect to the network and then to the Internet. If multiple network adapters are available, you can configure Shared networking only on the first one. A guest using Shared networking cannot communicate with other guest machines on the same host. (Note: wireless networking and dialup do work with Shared networking.)

Regardless of which networking option you choose, if Windows Firewall is enabled only on the host, it will not protect the guest. You must enable Windows Firewall within the guest as well to ensure maximum protection.

Mitigating Risk

Virtual PC Shared Folders are host local drives or folders that appear as mapped drives, and they actually are functionally equivalent to mapped drives (see Figure 4). A guest machine used to browse the Internet should not use the Shared Folders feature or have any drives mapped. Network drives on the host cannot be shared using Shared Folders, and any type of drive mapping exposes the host filesystem to guest malware that targets mapped drives.

Figure 4. Media Is a Virtual PC Shared Folder; c$ Is a Mapped Drive to the Host Machine

Remember, the objective is to keep the host safe from any malware that may affect the guest, so don't connect the host's filesystem to the guest. However, at some point, you may want to use the guest's browser to download a file from the Internet and make it available to the host. The safest way to do this is to use Virtual PC's drag and drop feature to transfer files between guest and host because it does not open up a TCP/IP connection between them.

Keeping a guest machine up to date with all Windows Updates, service packs, and security patches is just as important as keeping the host machine up to date. It's easy for a guest machine to get behind on updates because it typically is turned off most of the time. It has to be running to receive updates and they must not be undone when the machine is turned off. Finally, when you are actively using a virtual machine for malware analysis, consider setting your VHD files to read-only to keep any changes inside your virtual machine from being made permanent.

Using Virtual Machines for Security Analysis

Now that you've seen how to use a virtual machine as a sort of Internet-browsing sandbox, expanding the use of the sandbox may seem logical. Using the Not connected network setting and then transferring a suspected malware file into a guest machine with drag and drop would appear to offer a safe environment for analyzing the behavior of the file. This technique might indeed work in many cases, but it could easily fail to detect malware in others. The problem is that a malicious coder can easily add code that checks whether his or her malware program is executing inside a virtual machine. The coder could program the malware to behave safely if it detects that it is running in a virtual environment. Thus, the malware would falsely pass the safety test and then run amuck inside the physical machines you wanted to protect.

Some have proposed using virtual machines to host honeypots, another security technique that may seem attractive. Should malware damage the virtual honeypot, the argument goes, the virtual machine can be reset. Once again, the malware can determine if it's running in a virtual machine and behave differently, which makes the analysis a waste of time.

With these caveats in mind, you should always undo your changes when you browse unknown Web sites. You can't assume that the virtual machine is free of malware just because it appears to be normal.

Sandboxes for Safe Browsing

No single solution will improve security, and browsing the Internet will always pose risks. By properly configuring virtual machines and using them as sandboxes for safe browsing, you can provide an additional layer of security without high cost and complexity. Unless you have confidence in and can trust the sites you are browsing, browsing within a virtual machine is a prudent approach.