Qubes OS – Page 2 – WindowsTechs.com

Qubes OS or TENS for security? Is Qubes a good idea for a total beginner?

Posted on November 27, 2018 by whatostouse

What would be the most appropriate to use for as much security as possible? TENS looks very simple and straightforward, which is why I like it. However I have barely seen anyone suggesting it, I suppose they don’t trust its d… Continue reading Qubes OS or TENS for security? Is Qubes a good idea for a total beginner?→

Does full disk encryption offer mitigation in the case of the firmware of an SSD being compromised?

Posted on October 29, 2018 by ssdhddinfected

Suppose the firmware of an SSD or HDD has been compromised by rogue actors either through “interdiction” (interception) or via the internet. They are able to exfiltrate data and conduct surveillance at will without my knowled… Continue reading Does full disk encryption offer mitigation in the case of the firmware of an SSD being compromised?→

Qubes OS extended security

Posted on July 2, 2018 by NetCoder

If you remove the drive Tails OS is running on, it will instantaneously shutdown and wipe the RAM.

I know that scripts exist that wipe RAM in Qubes OS but it’s not fully… functional as a security measure. Also it doesn’t s… Continue reading Qubes OS extended security→

Should I wait until Spectre and Meltdown is fixed in hardware?

Posted on June 9, 2018 by BerryResponsible

I have a Laptop that needs replacing due to age.

I will be using this laptop for desktop use, including Office Apps, Development, Running VMs & Web Browsing. I will be using separation using Qubes/Xen, KVM or Virtualb… Continue reading Should I wait until Spectre and Meltdown is fixed in hardware?→

Isolated Application Firewall VM on Qubes OS

Posted on August 20, 2017 by JumpAlways

In Qubes OS, is there a way to set up a FirewallVM with an Application Firewall running inside that can pop up dialogs always on top to let the user decide where to accept or not a connection?

Problems:
1) Unprivileged VM wi… Continue reading Isolated Application Firewall VM on Qubes OS→

Do new RYZEN CPU series support Rapid Virtualization Indexing (RVI), aka nested page tables or Second Level Address Translation (SLAT)?

Posted on February 24, 2017 by FredericMARTIN

RVI is required by Windows Hyper-V…
RVI will be required by QubeOS 4…

Lots of info about the new RYZEN CPU Series but as far as I know, no news about RVI support ? So, any source to point at about this ?

[EDIT] my quest… Continue reading Do new RYZEN CPU series support Rapid Virtualization Indexing (RVI), aka nested page tables or Second Level Address Translation (SLAT)?→

Networking in Qubes OS

Posted on January 31, 2017 by JumpAlways

I’ve started recently to use Qubes OS and I want to set up a virtual IDS and IPS in separate VMs, but I can’t figuring out how the comunications between different VMs works here.

Each VM should be isolated and all the connections handled by a separate FirewallWM (sys-firewall), which is connected to the NetWM (sys-net), which, in the basic configuration, is the only one which has Network Device attached (Ethernet and WiFi cards).

I’ve read the iptables in all VMs and I found the VM Manager set up automatically a DNAT Redirection to let the DNS packets (port 53) exit thought sys-net, but I can’t understand how all the packets can go through each layer and return back to the different original sources AppVM connected through sys-firewall.

For what concerns the IDS and IPS, I can easily handle and filter packet base on the content, but I can’t think how to fiter, for example, Source IP based on a blacklist, since I can’t see the real origin and since each VM is a separate system which can be based on differents Template (Fedora, Debian, Whonix, …) I think the Packet Options can be altered.

So, the iptables and the auditings like Psad can only be placed in the VM that is directly connected to the Router?

Some basic infos

Qubes OS is a system based on Isolation through Hardware Virtualization Technology that let you run different Domains (Personal, Work, Untrusted, … ) based on different Systems (Templates) on VMs and each instance is complete separate from others, so that if one get compromised, the system remains clean and fully usable
You can choose what devices attach to a VM and detach from it, so in the standard and savy configuration you have a sys-net machine wich is the only one that can connect to Internet (Ethernet/WiFi attached) and a sys-firewall machine which handle all the connections and pass through sys-net, so you have 2 level (you can add more) of isolation for the other domains (ex. PublicWiFi -> sys-firewall -> sys-net, Trusted -> sys-firewall -> sys-net )

I’ll post the sys-firewall and sys-net ifconfig and iptables-save outputs, to give you all the details.

VMs Details:

             me | updbl |  type |         netvm |          ip |    ip back | gateway/DNS |
----------------+-------+-------+---------------+-------------+------------+-------------+
         {dom0} |   Yes | Admin |           n/a |  10.137.0.2 | 10.137.0.1 |         n/a |
      {sys-net} |       |   Net |           n/a |        None | 10.137.1.1 |         n/a |
 {sys-firewall} |       | Proxy |       sys-net |  10.137.1.8 | 10.137.2.1 |  10.137.1.1 |
   {sys-whonix} |       | Proxy |  sys-firewall | 10.137.2.10 | 10.137.3.1 |  10.137.2.1 |
      {sys-usb} |       |   Net |           n/a |        None | 10.137.4.1 |         n/a |
    [fedora-23] |   Yes |   Tpl | *sys-firewall |  10.137.2.3 |        n/a |  10.137.2.1 |
      untrusted |       |       | *sys-firewall |  10.137.2.9 |        n/a |  10.137.2.1 |
     [debian-8] |   Yes |   Tpl |  sys-firewall |  10.137.2.4 |        n/a |  10.137.2.1 |
       personal |       |       |             - |        None |        n/a |         n/a |
    [whonix-gw] |   Yes |   Tpl |    sys-whonix |  10.137.3.5 |        n/a |  10.137.3.1 |
    [whonix-ws] |   Yes |   Tpl |    sys-whonix |  10.137.3.6 |        n/a |  10.137.3.1 |
    anon-whonix |       |       |    sys-whonix | 10.137.3.11 |        n/a |  10.137.3.1 |

sys-firewall iptables:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

:PR-QBS - [0:0]
:PR-QBS-SERVICES - [0:0]

-A PREROUTING -j PR-QBS
-A PREROUTING -j PR-QBS-SERVICES

-A POSTROUTING -o vif+ -j ACCEPT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -j MASQUERADE

-A PR-QBS -d 10.137.2.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.137.1.1
-A PR-QBS -d 10.137.2.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.137.1.1

-A PR-QBS -d 10.137.2.254/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.137.1.254
-A PR-QBS -d 10.137.2.254/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.137.1.254

sys-firewall ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:16:3e:5e:6c:06  
          inet addr:10.137.1.8  Bcast:10.255.255.255  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:N errors:0 dropped:0 overruns:0 frame:0
          TX packets:N errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:N errors:0 dropped:0 overruns:0 frame:0
          TX packets:N errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1

sys-net iptables:

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

:PR-QBS - [0:0]
:PR-QBS-SERVICES - [0:0]

-A PREROUTING -j PR-QBS
-A PREROUTING -j PR-QBS-SERVICES

-A POSTROUTING -o vif+ -j ACCEPT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -j MASQUERADE

-A PR-QBS -d 10.137.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.1
-A PR-QBS -d 10.137.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.1

-A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT

sys-net ifconfig:

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets N bytes N
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets N bytes N
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vif62.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.1.1  netmask 255.255.255.255  broadcast 0.0.0.0
        ether fe:ff:ff:ff:ff:ff  txqueuelen 32  (Ethernet)
        RX packets N bytes N
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets N bytes N
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp0s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.4  netmask 255.255.255.0  broadcast 192.168.1.255
        ether 30:3a:64:3a:a2:2d  txqueuelen 1000  (Ethernet)
        RX packets N bytes N
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets N bytes N
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Continue reading Networking in Qubes OS→

Is Qubes OS more secure than running a set of activity related VMs?

Posted on June 25, 2016 by mumbles

I’d like to skip the argument about Linux being more secure than Windows, and purely focus on the security boundaries between Host OS and VMs.

Is Qubes OS theoretically more secure than say – Windows 10 running a few isolated activity rel… Continue reading Is Qubes OS more secure than running a set of activity related VMs?→

Subgraph OS — Secure Linux Operating System for Non-Technical Users

Posted on March 4, 2016 by Swati Khandelwal

Information security and privacy are consistently hot topics after Edward Snowden revelations of NSA’s global surveillance that brought the world’s attention towards data protection and encryption as never before.

Moreover, just days after Windows 1… Continue reading Subgraph OS — Secure Linux Operating System for Non-Technical Users→