Re: Best practice for managing default routes over only VPN connections?

[Chris Laprise <tasket openmailbox org>]

On 11/07/2016 01:49 PM, Stuart D. Gathman wrote:
> Cool!  I had not had time to find out exactly what qubes did, but you
> explained it very well.  I suspect that's not *all* qubes does, but
> I'll be installing a prepackaged VM router (or hacking my own). What a 
> great
> concept.

Yeah, Qubes really is cool... All mundane app functions and external 
connections are done in virtual machines which are controlled with very 
simple/safe interfaces by the bare-metal hypervisor, Xen. It does the 
same for hardware, too... Network and USB controllers especially are 
confined to service VMs using the IOMMU to ensure DMA-based attacks 
don't yield access to the rest of the system.

OTOH, the admin VM has no network access. Its job is to run the GUI and 
local storage, and manage the unprivileged VMs (which by default run 
from read-only OS templates). The Qubes graphics stack prevents the 
usual GUI vulnerabilities with VM running on Linux, e.g. no clipboard 
sniffing or bitmap spying; it also displays window borders with VM name 
and assigned color so there's little or nothing a compromised VM can do 
to fool you.

The overall idea is to stuff most of the complexity and attack surface 
of a modern desktop into isolated, unprivileged VMs. You have to trust 
only a much smaller admin VM, tiny Xen hypervisor and core hardware 
components. From there, its up to the user to organize their activities 
and data into different VMs like "personal", "work", "untrusted".

BTW, some Qubes users are experimenting with router and network VMs that 
utilize microkernels. However, the default OS templates (Debian and 
Fedora) make pretty good routers themselves.

Chris