How to make sandbox-only internet access?

Question

How can I set up my Windows PC and/or network, so that none of the programs on my actual PC have internet access, but i have a sandbox/VM, with a browser, which has internet access, but has no access to the actual files. Essentially, i want to slice my pc in half. The offline part has access to documents, but no internet connection. The other is a sandboxed web browser, which has internet access, but can not read or write the offline part of the PC.

In other words, I want a sandboxed web browser, and then block every program's internet access outside the sandbox. Even windows update. I would not need "security updates" anyway. I think this way one could reach nearly 100% security for sensitive documents.

Also welcome answers/comments regarding this kind of defenses are not worth it.

edit: The offline part would be mostly used, so it would be better to somehow allocate the resources to that. i don't know how much performance is lost by each virtualization technology, but in my experience, so far, it's a lot.

Answer 1

Simple. Use a firewall in whitelist mode*.

For a similar purpose, I've used ZoneAlarm Free Firewall. Set it to whitelist mode and wait for it to ask you about giving Internet access to your sandbox application (I've used Sandboxie). Then tell ZoneAlarm to stop notifying you about future applications and not to assume they're whitelisted.

* Whitelist mode: Unless an application is explicitly allowed to have network access, it's assumed to be blacklisted.

Answer 2

You could have a Linux hypervisor that hosts two windows VMs where by one windows VM doesn't have an internet connection.

(Edit: I guess Windows 2008 can be a hypervisor... but why would anyone want that?)

Answer 3

You could install VirtualBox and create another VM machine for your Internet access. The host where you don't want any Internet access, disable the network connection by either:

• ifconfig ethX down or ifconfig wlanX down (Linux. X is the number given to the connection)
• Control Panel -> Network and Internet -> Network Connection -> Right Click the connection and choose disable (Windows)

In the guest OS, use Bridged Adapter to connect to the Internet. Since host system where you don't want any Internet connection has no network connectivity, even if a malware is downloaded on the guest, it can't access the host OS without breaking the VM sandbox itself. So far there is no publicly known exploit for breaking the VM sandbox for the latest VirtualBox (or VMware) virtualization solution.

As far as cost is concerned, VirtualBox is open source and is freely available.

Answer 4

I would not need "security updates" anyway. I think this way one could reach nearly 100% security for sensitive documents.

Yes, you absolutely would still need security updates. You stated that you are running on Windows and that you are only allowing the browser to have internet access.

A lot of malware injects itself into the browser's memory space (via BHO or DLL injection) and performs data exfiltration that way. In your scenario this would still work quite well. You can even do this on Windows 8 with IE 10 for Metro and Desktop modes.

I don't think your approach is bad, but you do need to still perform security updates if you are going to have an internet connection on this machine.

Additionally, I would suggest using a hardware firewall as well which only allows TCP 80/443 and UDP 53 (DNS) in and out. You still run the risk of DNS Tunneling, but by adding a blacklisting proxy type of product you can reduce the risk.