XEN)QUBES END POINT SECYRITY
124 views
Skip to first unread message
Νικος Παπακαρασταθης
Oct 19, 2017, 1:44:20 PM10/19/17
to qubes-users
Hello
Is there any kind of end point security fore qubes xen hv except of isolation? Something like usual ...internet security software used in windows(antivirus antispam etc unified).If not how for example payments are safe?
Chris Laprise
Oct 19, 2017, 4:31:08 PM10/19/17
to Νικος Παπακαρασταθης, qubes-users
On 10/19/2017 01:44 PM, Νικος Παπακαρασταθης wrote:
> Hello
>
> Is there any kind of end point security fore qubes xen hv except of isolation? Something like usual ...internet security software used in windows(antivirus antispam etc unified).If not how for example payments are safe?
Hi,
> Hello
>
> Is there any kind of end point security fore qubes xen hv except of isolation? Something like usual ...internet security software used in windows(antivirus antispam etc unified).If not how for example payments are safe?
The typical Qubes thinking doesn't hold threat-scanning software (which
is what I believe you're referring to) in high regard; it is seen as
offering a false sense of security or creating additional attack
surface. However, this doesn't mean you can't install AV scanners in
your VMs... its up to you.
In addition to isolation, Qubes' templates offer some inherent
protection as well because VMs based on them can resist rootkits. This
idea is extended somewhat here:
https://github.com/tasket/Qubes-VM-hardening (the 'systemd' branch is
experimental but has an ability to scan files).
OTOH, one of the best things you can do to increase security of your
appVMs is to practice some regular caution. You can, for instance
install HTTPS Everywhere in your banking VM's browser and can even tell
it to reject non-encrypted traffic. Also, avoid clicking on links in
emails; if you copy-paste first you can review the actual domain name of
the link. And email clients like Thunderbird try to detect phishing scams.
--
Chris Laprise, tas...@posteo.net
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
yura...@gmail.com
Oct 19, 2017, 4:52:34 PM10/19/17
to qubes-users
On Thursday, October 19, 2017 at 5:44:20 PM UTC, Νικος Παπακαρασταθης wrote:
> Hello
>
> Is there any kind of end point security fore qubes xen hv except of isolation? Something like usual ...internet security software used in windows(antivirus antispam etc unified).If not how for example payments are safe?
There is a good method to increase security for i.e. payments in an AppVM. If I understand you correctly, you're ferering to AppVM security here? and not Qubes in general? If so, you can simply make good use of your AppVM firewall. For example create a AppVM strictly and only for payments, then limit all internet connections in the firewall to only talk with your bank, and whichever additional services your bank may use.
> Hello
>
> Is there any kind of end point security fore qubes xen hv except of isolation? Something like usual ...internet security software used in windows(antivirus antispam etc unified).If not how for example payments are safe?
Although it can be a bit of a hassle with some services, who use many different domains, and they typically change too from time to time. Either way, this way, nothing gets into your bank AppVM, except those connections you allowed in.
You can also use a more lax method, i.e. block any regular http:// and only allow https://
Furthermore you can block different types of protocols as well.
Essentially, the fewer ports, addresses, protocols, is allowed, the harder it becomes for an attacker to find a weak attack surface to exploit. Especially if thaat AppVM only connects to your bank and its bank services, and absolutely nothing else.
You can do something similar with buying online, although it's a bit more tricky due to the many different websites.
Also there is very few malware for Linux (and thereby Qubes), and if any, they typically hide in your firefox cache or something, in your home folder, apparently capable of exploiting security holes in firefox. Something like that. But that's easily fixed with a clean-up, especially if you don't visit dodgy websites with your bank AppVM.
You should be more worried about hack attacks than malware, and if you do a good job securing your system, you're narrowing down the amount of hackers who can actually pull such an attack off. I.e. if you stay ahead of the script kiddies and poor hackers, and you're not infamous in the world, then you're probably unlikely to get hacked by someone skilled.
Disclaimer, someone might know better and correct me. Feel free to do so if I got anything wrong.
a.mc...@yandex.com
Oct 19, 2017, 6:27:39 PM10/19/17
to qubes-users
Hi,
If you want to scan your traffic for malicious code or for indicators of compromise, you may consider to install 2nd firewall VM with pfSense or OPNsense as a system. They allow to install Snort/Suricata in IPS mode. In addition, OPNsense (don't remember that in pfSense) allows to turn on ClamAV module and scan traffic for viruses.
Or you may install Snort/Suricata on separate VM, but it not so easy as *sense installation.
>--
>You received this message because you are subscribed to the Google
>Groups "qubes-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to qubes-users...@googlegroups.com.
>To post to this group, send email to qubes...@googlegroups.com.
>To view this discussion on the web visit
>https://groups.google.com/d/msgid/qubes-users/aee5931e-4035-42fb-8482-10bcacace0bc%40googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
If you want to scan your traffic for malicious code or for indicators of compromise, you may consider to install 2nd firewall VM with pfSense or OPNsense as a system. They allow to install Snort/Suricata in IPS mode. In addition, OPNsense (don't remember that in pfSense) allows to turn on ClamAV module and scan traffic for viruses.
Or you may install Snort/Suricata on separate VM, but it not so easy as *sense installation.
>You received this message because you are subscribed to the Google
>Groups "qubes-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to qubes-users...@googlegroups.com.
>To post to this group, send email to qubes...@googlegroups.com.
>To view this discussion on the web visit
>https://groups.google.com/d/msgid/qubes-users/aee5931e-4035-42fb-8482-10bcacace0bc%40googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
[799]
Oct 20, 2017, 12:57:07 PM10/20/17
to nipa...@gmail.com, qubes...@googlegroups.com
-------- Original-Nachricht --------
An 19. Okt. 2017, 19:44, Νικος Παπακαρασταθης wrote:
>> Hello Is there any kind of end point security
>> fore qubes xen hv except of isolation?
If you talk about Qubes, I understand the Qubes Hypervisor (XEN) and maybe dom0 as management VM.
For both of them an endpoint security is not needed, as all data manipulation and data access is done in specific AppVMs.
>> Something like usual ...internet security
>> software used in windows(antivirus
>> antispam etc unified).
Honestly I think that all those internet security suites don't offer additional safety.
As they have to be integrated deeply into the OS to be secured against manipulation of the software itself, it is also likely that new security holes will be opened.
Also people who think that a antivirus product will help them, forgett to use drive encryption, which will offer protection in case the device is lost or use bad passwords.
Security is much more than antivirus.
I am working in IT and don't use any internet security except on one windows laptop which is brought to customer and customer compliance policies force us to work with antivirus protection.
On my own machines I have abandoned the use of additional "protection software" except the default protection from the OS itself.
I haven't got a virus/trojan within years.
All my customers who have been hit by virus and mostly crypto Trojans had antivirus protection running without offering any help.
There are only two products which will offer the best protection:
bra.in + TBYC*
If you add Qubes and use ApoVMs wisely you will have a better protection than 95% of all users.
*ThinkBeforeYouClick
>> If not how for example
>> payments are safe?
Very easy:
- Create an AppVM and use Plugins like noscript, https anywhere, adblockers etc.
- set the Qubes firewall (sys-firewall) to block all traffic and use a whitelist only allowing access to the banking site.
I am using this to work with 3 different banking accounts, sometimes you need to tweak a bit to know which other IPs are necessary so that the banking works.
Another option could be to use a disposable VM.
[799]
An 19. Okt. 2017, 19:44, Νικος Παπακαρασταθης wrote:
>> Hello Is there any kind of end point security
>> fore qubes xen hv except of isolation?
For both of them an endpoint security is not needed, as all data manipulation and data access is done in specific AppVMs.
>> Something like usual ...internet security
>> software used in windows(antivirus
>> antispam etc unified).
As they have to be integrated deeply into the OS to be secured against manipulation of the software itself, it is also likely that new security holes will be opened.
Also people who think that a antivirus product will help them, forgett to use drive encryption, which will offer protection in case the device is lost or use bad passwords.
Security is much more than antivirus.
I am working in IT and don't use any internet security except on one windows laptop which is brought to customer and customer compliance policies force us to work with antivirus protection.
On my own machines I have abandoned the use of additional "protection software" except the default protection from the OS itself.
I haven't got a virus/trojan within years.
All my customers who have been hit by virus and mostly crypto Trojans had antivirus protection running without offering any help.
There are only two products which will offer the best protection:
bra.in + TBYC*
If you add Qubes and use ApoVMs wisely you will have a better protection than 95% of all users.
*ThinkBeforeYouClick
>> If not how for example
>> payments are safe?
- Create an AppVM and use Plugins like noscript, https anywhere, adblockers etc.
- set the Qubes firewall (sys-firewall) to block all traffic and use a whitelist only allowing access to the banking site.
I am using this to work with 3 different banking accounts, sometimes you need to tweak a bit to know which other IPs are necessary so that the banking works.
Another option could be to use a disposable VM.
[799]
Νικος Παπακαρασταθης
Oct 20, 2017, 3:05:32 PM10/20/17
to qubes-users
Hello, I think every response is adding a lot for me and this is not kindness but I mean it and thank you very much everyone. Somewhere in qubes site is mentioning that it is not a linux based os but xen hv.So on my question in internet security I took the answers on what was looking for but I am searching too if the Xen bare metal Hypervisor can be secured that way not only the virtual machines on it.I do not know even if this exists or even if it is an unearthed question.It is asked for educational reason too.
[799]
Oct 21, 2017, 9:08:32 AM10/21/17
to Νικος Παπακαρασταθης, qubes-users
Hello,
true, the management (dom0) is a fedora based VM
>> So on my question in internet security I took the answers on what was looking for but
>> I am searching too if the Xen bare metal Hypervisor can be secured that way
>> not only the virtual machines on it.
The question you're asking (as far I understand it) is "is there something like Antivirus/Antimalware for Qubes OS"?
The question should be maybe more something like:
- what kind of attacks put my privacy/data at risk?
- how likely are they and who can run those attacks?
- where do they happen?
- how much budget (mainly time, as additional security most time results in less comfort) am I willing to spent?
When I started with Qubes I took a piece of paper and draft an idea how I want to separate data and workspaces.
This was a guide to start the journey and was adapted to my workflow.
A good starting point showing the possibilties can be found here (even when it is some days old):
[799]
Sven Semmler
Oct 23, 2017, 7:18:20 PM10/23/17
to qubes-users, yura...@gmail.com
On 10/19/2017 03:52 PM, yura...@gmail.com wrote:
> If so, you can simply make good use of your AppVM firewall. For
> example create a AppVM strictly and only for payments, then limit
> all internet connections in the firewall to only talk with your
> bank, and whichever additional services your bank may use. Although
> it can be a bit of a hassle with some services, who use many
> different domains, and they typically change too from time to time.
> Either way, this way, nothing gets into your bank AppVM, except
> those connections you allowed in.
That was my initial setup. I had a banking VM, a shopping VM and a
> If so, you can simply make good use of your AppVM firewall. For
> example create a AppVM strictly and only for payments, then limit
> all internet connections in the firewall to only talk with your
> bank, and whichever additional services your bank may use. Although
> it can be a bit of a hassle with some services, who use many
> different domains, and they typically change too from time to time.
> Either way, this way, nothing gets into your bank AppVM, except
> those connections you allowed in.
"untrusted web" VM. First I got rid of the "untrusted web" VM in favor
of just doing all non-logged-in browsing in a disposable VM.
Soon I realized that keeping the firewall configuration of the
shopping VM working was a constant battle ... so I got rid of it too.
Instead I am using a disposable VM instance, the additional step of
logging in isn't that painful (KeepassX in the vault VM and Qubes
Copy&Paste support).
Finally I didn't see the point in a dedicated banking VM anymore and
started using a disposable VM for that too.
Looking at my domains now, I have only one that is online and with
firewall rules (email). All others are offline (dev, office, vault).
All web browsing happens in a disposable VM.
I am pretty happy with that and are under the impression that this is
probably the safest I can get. Obviously this is only safe /
compartmentalized if one opens a new disposable VM for each
destination, which is reasonably fast on my machine.
/Sven
Reply all
Reply to author
Forward
0 new messages