Recently, I have been contemplating the idea of attending the Chaos Communication Camp in Germany, in order to learn more about information security first-hand. Yet, as outlined in their survival guide, going there without considering a high level of security for your laptop and phone, whatever the flavour of your OS, is not a pretty clever idea. For good reasons.
Mind you, apart from Windows 7, I cannot have any other properly configured OS on my laptop, due to hardware peculiarities (switchable graphic cards being one of them). Consequently, no Unix-like OS with nifty security features installed ‘bare metal’. Not just yet.
So, inspired by this article about how to protect your pc with IPCop in a virtual machine, I thought about building a similar setup. The whole notion is pretty simple: run an enterprise-level Open Source firewall as a virtual machine, bridge it to your network card, install the Microsoft Loopback adapter, then castrate Windows so it cannot access the Internet directly – that is, uninstall the TCP/IPv4 and TCP/IPv6 stacks of the physical NIC. Thus you run all your Internet traffic through said firewall, whose WAN interface would be the bridged virtual NIC, whilst its LAN interface will be the NIC bridged to the Loopback adapter.
Only that I want to develop the idea further.
First of all, I want to use pfSense, because I’m slightly biased towards *BSD and its superior security features. Then, with pfSense, I can easily add, if needed, an IDS/IPS (Snort), a web proxy (Squid), or force the encryption of all traffic through a permanent VPN tunnel. It can be configured and scaled to match whatever level of security related paranoia.
Also, in order to reduce the time required for the Internet connection to become available, I need my virtual machine to run seamlessly, without having to manually start it or save its state every time I boot / shut down the host. Needless to say, that means running VirtualBox as a Windows service.
The configuration used for this tutorial:
HP Envy 14 – i5 520m | ATI 5650 & Intel HD Graphics | 8GB RAM | 120GB SSD | Windows 7 Professional 64-bit
I am sure that, as long as you have enough RAM to spare, depending on the features which you’d want to add to pfSense, any spec would do.
Required software and preparation:
At the time of writing (July 2011), the most recent version of pfSense available is 2.0 RC3 and, as recommended on the official website, it can be used in production.
Also, the VirtualBox version which I am going to install is 4.1.0 build 73009.
Time to gather all the goodies:
Go to this list of mirrors and download pfSense. You can choose your preferred version, CPU, and CPU instruction set architecture.
You can download the latest VirtualBox release and the VirtualBox Extension Pack here, or look for other builds on this page.
You will also need to install the Microsoft Loopback adapter. To understand what it does, in the unlikely case you don’t know already, check this page.
I assume that you know how to operate your software-based firewall on Windows, if you have any enabled (ZoneAlarm, Comodo, Windows Firewall, etc.), so you can add the virtual networks to your trusted zone.
Before you proceed to messing up with your system, it is sensible to have a tested, recent, full backup. I personally use DriveImage XML for ghosting my home PCs – it has never let me down. Also, Windows 7’s Backup and Restore Center is doing a very good job.
Now start the backup routine for your system and have a cup of coffee whilst it does its job. Two or many more if you have a slow drive and / or a large primary partition.