Quarantine Network Usage
Q: How can I safely run malicious software in the lab?
A: Very carefully...
The are a few key rules when running malicious software / malware in the lab:
Rule 1: Malware should only be run inside of a virtual machine, never on the host OS. This makes it easy to start, stop, reset to an earlier snapshot, or nuke from orbit. And, it allows the same PC to be used by subsequent students for non-malware related activities.
Rule 2: The malware-infected virtual machine should only have access to the quarantine network (
VLAN 20). The malware VM should never be connected to the student network, not via bridging, and not via NAT.
Rule 3: Computers that are not malware infected should not be connected to the quarantine network. For example, the host OS should only be connected to the student network.
In the context of the student desktop PCs in the lab, these rules should be implemented as follows.
Normal operation (non-malware):
- The wired Ethernet adapter on the PCs is named
eno1. (This is short for 'en' Ethernet, 'o' Onboard NIC, '1' Interface 1). This NIC sees both student VLAN traffic (untagged here, but VLAN 30 at the router) and quarantine VLAN traffic (tagged, VLAN 20). By default, only the untagged VLAN (for the student network) is visible to the host OS.
- DHCP is configured in the Linux host OS on the
eno1interface. The DHCP request in untagged and goes to the student VLAN, and the host OS is assigned an IP on the student subnet.
Quarantine operation (malware):
Malware should only be run inside a virtual machine, never on the host / bare metal OS. During this period, the host OS should be configured to see the existence of the quarantine VLAN but not assign an IP address in order to actively pass traffic. Use the Network Manager GUI to create a new virtual interface called
eno1.20, and connect it to VLAN 20 on physical interface
eno1. This new virtual interface is only for the quarantine VLAN, not student VLAN. All traffic sent using this new interface will be automatically tagged for the quarantine VLAN, and all traffic received from the quarantine VLAN will be automatically untagged.
To create the virtual interface with the Network Manager utility, follow this process:
|Choose "Edit Connections" from the Network Manager tool in the upper right-hand corner|
|Choose "Add" to create a new connection|
|Choose "VLAN" to create a new VLAN connection|
|For Parent Interface, choose
For VLAN ID, enter
For VLAN Interface Name, enter
|Under the IPv4 Settings tab, choose method
We do NOT want the host OS obtaining an IPv4 address on the quarantine network!
|Under the IPv6 Settings tab, choose method
We do NOT want the host OS obtaining an IPv6 address on the quarantine network!
To attach a KVM-based VM to the Quarantine network using the Virtual Machine Manager GUI, click on the Info (I) button, find the NIC on the left-hand side, and choose the
eno1.20 virtual interface you just created. Make sure that it is in
To attach a Virtual Box-based VM to the Quarantine network, go to the VM settings, find the Network tab on the left-hand side, and select
Bridged Adapter with name
eno1.20 You may also need to change the adapter type to
Paravirtualized Network (virtio-based) and enable
Promiscuous Mode for the guest.
The virtual interface can also be created at the command line, but doing so will result in the Network Manager utility ceasing to manage this interface, which is not desirable and/or will be confusing for future students.
sudo ip link add link eno1 name eno1.20 type vlan id 20 # This command is temporary and will not persist after a reboot/shutdown # ip -d link show eno1.20 # View virtual interface sudo ip link delete eno1.20 # Delete virtual interface
After creating the virtual interface, ensure that you do not assign it an IP address (manually, or via DHCP) in the host OS. This quarantine interface is only present in the host OS so that it can be mapped to a virtual machine.
Before running any malware, verify your configuration:
From the Host OS:
You should only be able to see the
STUDENT network (.30.x), not the
Quarantine (.20.x) or
INSTRUCTOR (.40.x) network.
nmap -sP 10.1.20.0/24 # Should see NOTHING (beyond router) nmap -sP 10.1.30.0/24 nmap -sP 10.1.40.0/24 # Should see NOTHING (beyond router) ping -c 4 google.com # Should have public Internet access
From the Guest OS (malware host):
You should only be able to see the
QUARANTINE network (.20.x), not the
STUDENT (.30.x) or
INSTRUCTOR (.40.x) networks.
nmap -sP 10.1.20.0/24 nmap -sP 10.1.30.0/24 # Should see NOTHING (beyond router) nmap -sP 10.1.40.0/24 # Should see NOTHING (beyond router) ping -c 4 google.com # Should have public Internet access