DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th July 2008
uptonm uptonm is offline
Port Guard
 
Join Date: Jun 2008
Posts: 14
Default highly secure virtual machine

I was thinking it would be nice to install OpenBSD and install some virtual machine software, and have several different operating systems to choose from. Then I could run the OS of my choice and if there was a problem(security), complete reversion back to an old copy of an OS would be trivial.

I looked at Xen, it seemed interesting to try the hypervisor route, with OpenBSD if possible as the basic dom0 operating system. However I'd like to play games and such, in Windows too (I don't like WINE or Cedega for games. Just Winders. Thats what it does best.). I wonder if there would be a problem with getting the nvidia drivers installed. It seems likely there would be, I don't know if the graphics hardware is emulated or what.

I was wondering if there is a highly secure virtual machine option so that I could run my windows, play games, use Linux or any other OS, (perhaps another OpenBSD) for browsing the net. not worry about getting 'sploited. Back up from an earlier copy of the OS if I am.

This is a nice daydream, but is it possible? I've got a quad core q6600, 4 gigs of ram, 500 gig SATA 3.0, so I think I have the hardware for this. I've got an Nvidia Geforce 8800gt for the games.

Any input?
Reply With Quote
  #2   (View Single Post)  
Old 26th July 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

You have options for "emulation", bochs and qemu are in ports.. neither are viable for "virtualization".. guest OS's will be still quite slow.

Now, 3D acceleration is in its infancy with OpenBSD.. it's not in 4.3 by default, it probably won't be in 4.4 either.. and what little support is there wont benefit Nvidia graphics cards, the only driver available is the 2D only Xorg "nv" driver.

Sorry to burst your bubble...
Reply With Quote
  #3   (View Single Post)  
Old 26th July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

How about getting a second hand P4 system, install Windows on it and be done?

Or equip your current box with a removable hard disk slot and buy a second disk for Windows. When you want to play games, take out the OBSD disk and insert the Windows disk.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 27th July 2008
DrJ DrJ is offline
ISO Quartermaster
 
Join Date: Apr 2008
Location: Gold Country, CA
Posts: 507
Default

Quote:
Originally Posted by uptonm View Post
I was wondering if there is a highly secure virtual machine option so that I could run my windows, play games, use Linux or any other OS, (perhaps another OpenBSD) for browsing the net.

This is a nice daydream, but is it possible?
Not really. You can forget running games in a software-based VM, and those on *BSD are not that good anyway. Support for things like Xen is lagging behind, though Net has it.

Sadly, the reverse works OK. You can run you games in Windows, and run Open (or whatever) in VirtualBox or VMware. Not the best for security, but you could at least do it all on one box.
Reply With Quote
  #5   (View Single Post)  
Old 27th July 2008
uptonm uptonm is offline
Port Guard
 
Join Date: Jun 2008
Posts: 14
Default

its alright i can triple boot, i guess. how secure are virtual machines? is there anything that will entirely insulate me from any viruses? i could just use the windows partition for gaming.
Reply With Quote
  #6   (View Single Post)  
Old 27th July 2008
DrJ DrJ is offline
ISO Quartermaster
 
Join Date: Apr 2008
Location: Gold Country, CA
Posts: 507
Default

Quote:
Originally Posted by uptonm View Post
how secure are virtual machines? is there anything that will entirely insulate me from any viruses?
Not to seem rude or snotty, but the best way to avoid viruses is to be behind a reasonable router/firewall and practice "safe internet." That means no porn, warez, gambling and the like (including good email practices). I don't bother with running Windows anti-malware software anymore, but I do check every six months or so and never find anything.

More to your question, the application running in the VM itself is secure. However, the host OS still runs the VM software and handles the real and virtual hardware. So you are still susceptible to malware on the host.

It seems backwards, but that's how it is if you want to game and wish to avoid Wine. Otherwise, both Linux and Solaris are better on the VM front than the BSDs.
Reply With Quote
  #7   (View Single Post)  
Old 27th July 2008
uptonm uptonm is offline
Port Guard
 
Join Date: Jun 2008
Posts: 14
Default

Quote:
Originally Posted by DrJ View Post
Not to seem rude or snotty, but the best way to avoid viruses is to be behind a reasonable router/firewall and practice "safe internet." That means no porn, warez, gambling and the like (including good email practices).
Thats fine for many, but my bro lives with me, and I have repeatedly talked to him about keeping safe on the internet, but he is mildly retarded and has his own idea on things. He's always getting infected, some of the viruses are pretty bad and I'd just really prefer to feel safe on my computer. If that was the end all be all of computer security, there would be no need for OpenBSD.

I need to put my brother on a Linux box on a seperate network :

Also, I'm into web design and i have an interest in social networking/chat applications. You never know who it is you're talking to on the other end of the screen, and although the majority of people do not have "hacking" skills, and the greater majority of hackers are script kiddies, i'd just like to feel safe. I've ran into some wierdos before and I apparently have an online stalker. I've got stuff I'm writing right now that I'd really prefer nobody reads until its finished. I guess i need another computer disconnected from the network, or internet.

Last edited by uptonm; 27th July 2008 at 01:22 AM.
Reply With Quote
  #8   (View Single Post)  
Old 27th July 2008
DrJ DrJ is offline
ISO Quartermaster
 
Join Date: Apr 2008
Location: Gold Country, CA
Posts: 507
Default

Quote:
Originally Posted by uptonm View Post
Also, I'm into web design and i have an interest in social networking/chat applications. You never know who it is you're talking to on the other end of the screen, ... i'd just like to feel safe. I've ran into some wierdos before and I apparently have an online stalker.... I guess i need another computer disconnected from the network, or internet.
Multiple computers might really be best. You can use a (largely-disconnected) one for gaming, and use a BSD for your web stuff. Same for your brother. Hardware really is inexpensive these days -- an old P4 as mentioned above really is fine for most things, and you can cobble them together for very small sums of money. A KVM can help with the peripherals.

Personally, I use three computers most of the time: my main FreeBSD box, a W2K box for some applications that will never be on BSD, and a BSD server. I have a couple of VMs on the main box (which also dual boots with XP), and I use those for light-duty things. But when I have to do something serious, I just move across the room. It is not optimal, but it does work well enough.

Personally I find dual-booting to be a major pain. The VMs on BSD are just not that good. The real hardware just works better. But you do have to find your own way to fit with what you would like to do (and your budget).
Reply With Quote
  #9   (View Single Post)  
Old 27th July 2008
uptonm uptonm is offline
Port Guard
 
Join Date: Jun 2008
Posts: 14
Default

I think thats a great idea. I have an old p4 sitting next to me actually, i'll pop OpenBSD on that and do whatever internet stuff i do on that one.
Reply With Quote
Old 27th July 2008
DrJ DrJ is offline
ISO Quartermaster
 
Join Date: Apr 2008
Location: Gold Country, CA
Posts: 507
Default

One thing you might want to check first: do any of your Web excursions rely on Flash? Free supports Flash7, which is OK for YouTube but little else; I run Windows Firefox in Wine and use Flash9 in that. I'm no Open expert, but I'd bet its support is no better than Free. If you require Flash9, you may want to think about it.

Otherwise, I think you have a plan.
Reply With Quote
Old 27th July 2008
uptonm uptonm is offline
Port Guard
 
Join Date: Jun 2008
Posts: 14
Default

not sure on that one. I do use some flash on websites, altho i don't develop in flash myself. Maybe someday. Well, I guess I will see how things work soon enough anyways.
Reply With Quote
Old 27th July 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by uptonm View Post
I was wondering if there is a highly secure virtual machine option...
According to traffic on misc@, the answer is "no".
Reply With Quote
Old 27th July 2008
DrJ DrJ is offline
ISO Quartermaster
 
Join Date: Apr 2008
Location: Gold Country, CA
Posts: 507
Default

Well, I meant the suggestion as, do you need Flash9 for the chat sites where you want the security? The other is of course a concern, but the sites you write can always use Flash7.
Reply With Quote
Old 27th July 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

This is the OpenBSD section DrJ, wine is practically useless here.... there is opera-flashplugin in ports, but that uses Linux emulation for both the browser and the plug-in, hardly efficient.

Flash is such a annoying concept.. if I met the person responsible for that, I'd step on their toes.
Reply With Quote
Old 27th July 2008
DrJ DrJ is offline
ISO Quartermaster
 
Join Date: Apr 2008
Location: Gold Country, CA
Posts: 507
Default

Quote:
Originally Posted by BSDfan666 View Post
This is the OpenBSD section DrJ, wine is practically useless here....
I'm aware of that (and the very old version that Open uses). The request sounded to me like "I need security!" so let's look at Open. Not unreasonable, but there is more to the OS than just that.

Am I incorrect that use of recent Flash players is an issue with Open? And that VMs on an Open host are not great? That Xen does not have an Open Dom0?
Reply With Quote
Old 27th July 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by DrJ View Post
Am I incorrect that use of recent Flash players is an issue with Open? And that VMs on an Open host are not great? That Xen does not have an Open Dom0?
Correct. Flash support is currently sporadic & Xen support is incomplete. There had been a Xen effort nearing completion, but motivation appears to have waned.
Reply With Quote
Old 27th July 2008
uptonm uptonm is offline
Port Guard
 
Join Date: Jun 2008
Posts: 14
Default

Quote:
Originally Posted by BSDfan666 View Post
This is the OpenBSD section DrJ, wine is practically useless here.... there is opera-flashplugin in ports, but that uses Linux emulation for both the browser and the plug-in, hardly efficient.

Flash is such a annoying concept.. if I met the person responsible for that, I'd step on their toes.
http://www.burntfaceman.com/

i love flash but im interested in your opinion to the contrary.

edit:is it because its not open?

Last edited by uptonm; 27th July 2008 at 08:20 PM.
Reply With Quote
Old 27th July 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

I don't like it, unappealing.. there are more effective means for interactive content on the Internet.

And even if I did like it, it's simply not available..
Reply With Quote
Old 27th July 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default

Quote:
Originally Posted by uptonm View Post
http://www.burntfaceman.com/

i love flash but im interested in your opinion to the contrary.

edit:is it because its not open?
This thread might explain things a bit further-
http://www.daemonforums.org/showthread.php?t=1103
__________________
Network Firefighter
Reply With Quote
Old 27th July 2008
uptonm uptonm is offline
Port Guard
 
Join Date: Jun 2008
Posts: 14
Default

Quote:
Originally Posted by ai-danno View Post
This thread might explain things a bit further-
http://www.daemonforums.org/showthread.php?t=1103
good thread. raised a lot of good points.
i think, after looking at the thread, perhaps flash ought not to be used as the entire design of a site, but thought of as a fancy animated image which seemed to be a more common use once. its right on about navigation. however i suppose another way of looking at it is, if you dont have the pc for it, you can't use the application, and in this case the website. i run into this problem, or used to when playing games and its certainly not the developers fault always, or anybody's for that matter. i still love flash though. sad that adobe will not make flash 9 for bsd when they use open for http://www.openbsd.org/users.html#com

is there any one reason they dont?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to secure my ftp? milo974 OpenBSD Security 3 4th August 2009 03:47 PM
Is this secure? Ungenious OpenBSD Security 4 30th November 2008 02:27 AM
Networking on virtual machine satimis General software and network 4 29th November 2008 02:16 PM
USB support in virtual machine? Sunnz OpenBSD Packages and Ports 2 16th November 2008 04:00 AM
Extract ISO under OpenVZ virtual machine stukov Other BSD and UNIX/UNIX-like 1 14th May 2008 09:46 PM


All times are GMT. The time now is 10:12 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick