Properly isolating a malicious system from your network

I’ve been learning a lot about networking lately, which has led me to want to look at malicious software to see what it does / how it works. The natural first step for this seems be isolation, or how to correctly isolate the software I want to look at / interact with from the rest of my network. I’ve got a couple ideas, but I’m not sure that I really understand the real-world limitations of each.

Sandboxie
As far as I can tell, this is a good way to isolate software from the system that it is running on. You can restrict internet access, but it doesn’t seem like there is a good way to keep it away from the rest of your network while still allowing internet access on it’s own.

Physical Machine & VLAN
Haven’t used VLANs before, but my mikrotik router is perfectly capable. Could remotely access with something like Parsec, with a bit of extra latency from the round trip, for convenience. I don’t actually know how well VLANs do preventing malicious software from reaching the rest of the network vs. not malicious devices. Deliberately restricting access to the router admin ui from a VLAN seem straightforward enough. I read an article from ATT that describes a couple ways that VLAN hopping can occur, but I’m not sure how much of concern this is short of APT kind of shit.

VM & VLAN
I’ve worked with VMs enough to have an idea what’s going on. Would be convenient to just spin up a VM on my local machine, but I don’t know how prevalent exploits that can jump between a VM and the host are, or if there is a solid enough method to prevent this that makes a VM viable for security research.

I’d love to hear about what steps you take when performing this kind of work. For my continued investigation into the topic, recommendations for ‘words I need to understand’ could be awesome too.

A firewall is what you want for controlling network access

2 Likes

So like a separate subnet with restricted access between the two?

If you are trying to test malware then a VM wit no network access would be my first choice.

7 Likes

I can see why OP would eventually want to grant restricted /DMZ/Firewalled access, if Actually examining malware, for it to reach out to C2 / payload servers.

I would not start mesing with malware intentionally myself, even in VM’s, with networking. But, pen testers gotta start somewhere.

Perhaps check a couple courses in YT about pentest/ reverse engineering first, focusing on the VM side?

(Um, origioanly started to reply specifically to UCAV, but changed tack part way thru…)

1 Like

Like you say, there are ways to send malformed frames to achieve VLAN-hopping.

Just taking out the port you want to isolate from the Bridge should be half the quest.


Physical machine would be my choice. That way, there is no accidental hole opened by remote management software pulling stuff across.

Yup.
ACLs are a good start, firewalling in Mikrotik is alright if a bit hard to understand.
Sophos Home or PFSense may also be worth looking into. Consider stacking two different firewalls in series since you may miss something in one of them, which in the “testing malware” context could be fatal.

1 Like

This looks like an intersting project:

to get you the sandbox environment running,
I would run that on a dedicated, separated machine, connected with a sigle cable to a dedicated port on a firewall isolated from anything on your home network, and go from there …
As a word of advice, I suggest you level up your skills in networks/firewalls, properly air gapping environments before actually running any malware …

2 Likes

If it were me I’d set up a separate physical machine, but still use VMs on it. Being able to quickly wipe and reload the environment can be very useful here.

2 Likes

A lot of good information there. In that article, the author went as far as to have a physically separate router and (I think) connection to the outside world.

This seems to be the name of the game here. It’s not that XYZ can’t work, but the risk of mistakes goes up and up.

2 Likes

Precicely!
Here is where a guinea pig computer comes into play
No network card or disabled network.
No wireless.
I.o.w. a stand alone machine.

Pen testing , debugging, decompiling, or reverse engineering suspected files is safely done on this machine because of the inability to network it.

In this instance the os drive configured with the proper software is cloned to multiple redundant drives.
Should a catastrophic failure occur the dirty drive could easily be swapped out. ( using hot swap trays)
Back up and running in a very short time.
Then the dirty drive could be wiped for re use or destroyed.

This machine would then only be able to load ware via usb, optical or media drive, serial port, or parallel port.
If none of these are networked then you have complete control over what is loaded into the system.

Biggest downfall is the need to have a dedicated seperate machine and the space it takes up.

Biggest benifit is its completely secure because you are the primary access to it.

A bit paranoid i know,
I use to do forensic work on computers,
You have to be a little paranoid to cover all bases.

2 Likes

I agree that with a sacrificial machine plus VMs, you can create a somewhat isolated network environment:

  • vm running centOS/firewalld/tcpdump as a reasonable inspection gateway
  • running openvswitch between your VMs for isolated LAN
  • running second openvswitch as an isolated WAN
  • running a centos9 vm as an ISP gateway (dnsmasq again) can capture packets headed to a public internet
  • dnsmasq on the WAN vm can be assigned 8.8.8.8, no client will know better

Inspecting the dnsmasq query logs will provide you with all the lookups a malware will make.

Run the VM disk images on ZFS and you have the most inexpensive snapshotting.

1 Like

VLANs with a very strict firewall would be a start… But if you’re looking at anything properly malicious, and don’t want to have your home internet access cut off, maybe consider a cheap prepaid/disposable mobile data connection for the project… If it gets blocked or disconnected, no big deal.

Oh, and get that from a different ISP than you use at home, or they might block all your access anyway.