Security breach?

I'm running two virtual machines on a VMware server, which is being ran on a laptop host, that is connected directly to my company's network. The problem is, on Wednesday, I decided to set up a NAT server for practice.

I configured (virtual) Server 1 with two network cards, the first one had a static ip address, and was on a private nerwork, the second one I configured to share the host's ip address, and configured it on the virtual machine to receive its ip address from DHCP (ie my company's DHCP server). I called it MyIsp.

Then I went into the routing and remote access console, and added the NAT/Basic firewall protocol. I added the MyIsp connection as interface, and it was up and running. But I did not try to connect to any networks through this NAT server myself, yet I saw that some packets were received and some were rejected, before I disabled the MyIsp connection in network connections. Thus rendering the NAT server useless.

What I'm wondering is, was it a security breach to connect that NAT server directly to my company's network, even if I did not configure it with any static routes, or anything else (address pools) that would allow it to communicate with my company's network, except the fact that it was directly connected to it through the (laptop) host? Surely to even be able to use this NAT server, you had to set it as a gateway? There were no anti virus or firewall applications running on the virtual machine, but my laptop is protected with both.

What I'm worried about is, whether I allowed someone access into my comapny's network? Of course I should have done this sort of excersise at home, where there are no sensitive data.

Find more posts tagged with

Comments

dynamik

Although it was a VM, you still connected an unauthorized machine to your companies network. That's probably against their security policy.

Even if you didn't configure NAT, when your bridge your connections (which is what it sounds like what you did with the MyISP connection), you're on the network. If it receives a DHCP address or if you can do anything else (i.e. visit websites) it's on the network.

I'm not following how you think someone else could have access the network though. While I agree that you shouldn't experiment with things on a live network, I don't see how a security breach could have occurred.

Goldmember

So basically the question is

1) Will my virtual machine be protected by my laptop anti-virus and firewall if I run VMWare?

I was wondering the same thing when I fired up my virtual machine the other day.

For some reason I don't think its protected by the firewall and anti-virus by default.

There might need to be some extra configurations.

dynamik

It'll be protected by the firewall from anything outside of the laptop because the firewall is on that interface. It won't be protected from anything coming from the laptop or other VMs.

The only way AV would work is if it analyzes network traffic and catches something coming in over the network. I don't think most client AV utilities work this way. I think they either scan upon the completion of the download or when the file is ran/opened. It would offer no protection if you did something like opening an infected file off a thumb drive in the VM, or something like that. I would not count on the laptops AV to protect any of your VMs.

Dracula28

dynamik wrote:

Although it was a VM, you still connected an unauthorized machine to your companies network. That's probably against their security policy.

Even if you didn't configure NAT, when your bridge your connections (which is what it sounds like what you did with the MyISP connection), you're on the network. If it receives a DHCP address or if you can do anything else (i.e. visit websites) it's on the network.

I'm not following how you think someone else could have access the network though. While I agree that you shouldn't experiment with things on a live network, I don't see how a security breach could have occurred.

Yes you are correct, and its a stupid thing to do. The reason I ask for the security breach is because of the NAT/router I set up on that virtual machine. Wouldn't a NAT allow someone into a network? I'm not quite sure how NAT works yet though, thats why I'm worried. It was a stupid thing to do, which I realised, and therefore disabled the network connection within minutes. But yet the NAT server did receive some and reject some packets, thats why I'm worried.

About the host machine protecting the VMs, even if the actual VMs are not protected, the host would still not send any traffic on to the network the host is connected to, due to the firewall on the host, right? What I mean is, if someone gain access to your test enviroment (which is rarely protected), they would still not be able to go through your vms and host machine, and get into the network the host is connected to?

dynamik

Dracula28 wrote:

Yes you are correct, and its a stupid thing to do. The reason I ask for the security breach is because of the NAT/router I set up on that virtual machine. Wouldn't a NAT allow someone into a network? I'm not quite sure how NAT works yet though, thats why I'm worried. It was a stupid thing to do, which I realised, and therefore disabled the network connection within minutes. But yet the NAT server did receive some and reject some packets, thats why I'm worried.

Maybe I don't understand what you're asking, but I still don't see what you're worried about. In order for someone to access the VM you put on the network, they'd already have to be connected to the network. Is there sensitive information on the VM? What's your concern?

As far as the NAT server receiving traffic goes, it was probably just some network broadcasts or something. Is there any reason you suspect otherwise? Did you capture this with network monitor? What kind of traffic was it?

Dracula28 wrote:

About the host machine protecting the VMs, even if the actual VMs are not protected, the host would still not send any traffic on to the network the host is connected to, due to the firewall on the host, right? What I mean is, if someone gain access to your test enviroment (which is rarely protected), they would still not be able to go through your vms and host machine, and get into the network the host is connected to?

It depends on how you have your firewall setup. Most simply allow all outgoing traffic and only allow incoming traffic for connections you established. I would assume that it would allow the VM traffic out since it was originating from that machine. Again, I don't understand your concern because the user would already have to have network access in order to access your VM or host machine.

If you did something like add an unauthorized hub, switch, wap, etc., or allow someone to bridge a connection through your machine, you would risk letting unauthorized users onto the network.

Dracula28

Well, its the NAT that makes me concerned, as I thought it was means to let someone through it and on to the network, but since I did not configure the NAT, just set it up with default values, and the IP adress of the NAT server was a private IP adress received from a DHCP server, and not a public ip adress. I'm assuming that there is no reason to be worried?

I did not capture the data, I really just wanted to see whether I could connect to the internet with virtual machine 2, if I went through computer 1 set up as NAT. Did not get that far, as I saw that it started to receive and reject some packets, so I just disabled the network connection altogether.

But to be able to use a NAT you have to be on the particular subnet the NAT is on? In that case I guess I shouldn't be worried. There is no sensitive data on the VM, or the host for that matter, I'm really just concerned that I might have let someone onto the company network by setting up an unauthorized NAT.

dynamik

Do you have a router at home on cable or DSL? That does NAT exactly the same way. It allows the machines behind the device to access the network (the internet in this example) by using the public IP assigned from your ISP. Essentially Network Address Translation just translates the internal address(es) to the external address(es) and back again. Only machines that were connected to it (your other VMs) could use it to access the network.

Goldmember

Dynamik,

I noticed a few things after you mentioned the firewall blocks the laptop adapter.

I use Comodo Personal Firewall and now there are 2 adapters listed as being protected by the firewall...

One of the adapters is my wireless adapter, while the other adapter is the VM virtual adapter.

The properties of the virtual adapter included another IP address which is obviously different from my wireless adapter IP address and also a different MAC address.

So to go back to your original statement...

The firewall doesn't block traffic because it uses the same logical interface. There is actually a new logical interface installed in my scenario within the Comodo Firewall which has its own properties.

Just to clear things up a byte.

Dracula28

Thanks for the input guys.

I've learnt my lesson, and will never connect any unauthorized computer to the company network again. Even if it might not be a security breach, it still is quite stupid.