Status
Not open for further replies.

MalwareDoctor

Moderator
Verified
Staff member
Hello,

I intend on doing some AV testing in VMware. What is the most secure network connection, bridged or NAT, because I have heard pro's and cons about both. Thanks
 
I think this thread could be moved since it does not seem to be an introduction. Possibly here: http://malwaretips.com/Forum-Other-Security-Related-Discussions
[hr]
Hotrod123 I see you already posted here http://malwaretips.com/Thread-Protecting-Host-Machine-from-Malware-escaping-a-VM?pid=66522#pid66522 it is just a matter of time until someone posts back to you.
 

McLovin

Level 73
Verified
Trusted
Malware Hunter
Have not done this in a while but i say Nat, but that's just me.
 
P

Plexx

NAT is better than Bridge. However sometimes I do loose connection on NAT for some odd reason. Nevertheless, you still need to know what you are doing.
 

MalwareDoctor

Moderator
Verified
Staff member
Thanks I appreciate your opinion and fast response. When you tested malware in the VM, were there other machines on the network and had they ever gotten infected during testing with NAT?
 

HeffeD

New Member
Hotrod123 said:
What is the most secure network connection, bridged or NAT,
Neither is more secure than the other.

NAT is a better choice for helping to isolate your VM from your LAN, but there is always risk involved when you're playing with malware.

Using NAT for a VM is a lot like connecting to the internet behind a NAT enabled router. Your host machine is acting a bit like a NAT router between your VM and your LAN.
 
P

Plexx

HeffeD said:
Hotrod123 said:
What is the most secure network connection, bridged or NAT,
Neither is more secure than the other.

NAT is a better choice for helping to isolate your VM from your LAN, but there is always risk involved when you're playing with malware.

Using NAT for a VM is a lot like connecting to the internet behind a NAT enabled router. Your host machine is acting a bit like a NAT router between your VM and your LAN.
Wouldn't defining Dedicated Virtual Network in VMware be a better option for malware testing?

Edit: By having a Dedicated Virual Network, I was unable to configure it to have internet access.

Perhaps having it as NAT but disable the VMnet8 network adapter on host do the trick? VMnet8 is by default the NAT adapter for VMware
 

MalwareDoctor

Moderator
Verified
Staff member
I tried using a LAN segment on my VM, but I had no internet connection. Is there any way I could isolate my VM using VLAN settings for network isolation purposes?
 
P

Plexx

Only think I can think is set 2 VMs to be running. Have machine one connected activated as host only, have machine 2 be host only and add a second NIC as bridge and manually configure the NAT settings.

You will then ensure that the machine one is looking at machine 2 as a gateway or something like that.

In theory looks like it works but I might be something here.
 

HeffeD

New Member
Biozfear said:
Wouldn't defining Dedicated Virtual Network in VMware be a better option for malware testing?
Yep. This is a great guide for setting up an isolated network. VMware Network Isolation for a Malware Analysis Lab

Biozfear said:
Edit: By having a Dedicated Virual Network, I was unable to configure it to have internet access.
Well that's the rub isn't it? We want an isolated network, but we want it to be able to access the internet through the host? (I want a HIPS, but what is with all of these popups? :p ) Any time you make usability concessions, you're decreasing security.

Which by the way reminds me, don't install VMWare tools on the guest machine if you're playing with malware. The guest tools add usability, but by its nature makes a backdoor to the host machine. I'm not aware of any malware that has exploited this, but there is always tomorrow. :s

Biozfear said:
Only think I can think is set 2 VMs to be running. Have machine one connected activated as host only, have machine 2 be host only and add a second NIC as bridge and manually configure the NAT settings.

You will then ensure that the machine one is looking at machine 2 as a gateway or something like that.

In theory looks like it works but I might be something here.
I read something a while ago about someone using a technique similar to this. I've been looking for it again and have been unable to find it... :blush:

I don't know if it will work or not.
 
P

Plexx

Although In essence having 2 VMs to be running and one configured to be the gate way, I have been unable to recreate this thought.

Here is what I did:
1.OS1 was set with Host Only adapter.
2.OS2 was set with Host Only adapter. I then added another NIC and set it as Bridged.
3.Set OS1 to look at the DHCP data from OS2.
4.Configure OS2's Bridged connection according to NAT data.
5.At this stage I am sure I have one thing is missing since despite appointing OS2 as the default Gateway to OS1, I still can't connect to the internet via OS1 or even OS2. Yet, I can see OS2 from OS1 and vice versa.
 

MalwareDoctor

Moderator
Verified
Staff member
Biozfear said:
Although In essence having 2 VMs to be running and one configured to be the gate way, I have been unable to recreate this thought.

Here is what I did:
1.OS1 was set with Host Only adapter.
2.OS2 was set with Host Only adapter. I then added another NIC and set it as Bridged.
3.Set OS1 to look at the DHCP data from OS2.
4.Configure OS2's Bridged connection according to NAT data.
5.At this stage I am sure I have one thing is missing since despite appointing OS2 as the default Gateway to OS1, I still can't connect to the internet via OS1 or even OS2. Yet, I can see OS2 from OS1 and vice versa.


Please report back if you find anything that works.
 
Status
Not open for further replies.