anone381:
[…]
Well it obviously doesn’t cover my tasks, I work as a pentester, and Qubes doesn’t do well with things like Android emulation and networking.
I understand. It depends on what a certain user expects it to do. I’m working in security, too, and it perfectly fits my needs. (Though I wouldn’t setup some vulnhub scenarios on it, either.)
Qubes only relies on the hypervisor. Above you compared Xen and KVM, but in my solution there is physical isolation of two different devices as Proxmox is physically located on a different device.
That’s exactly what Qubes solved for me: carrying two to three laptops with me. Do you transfer data between the instances?
Qubes templates are terribly done, you can’t just put “guest software” in any VM and make it work. Which makes it multiples more difficult to work with it. Users are still waiting for a lot of templates to be created, such as for example NixOS templates.
I still don’t understand. From a sys admin perspective it’s very nice: there is a single source, that gets updates. System parts of appVMs are ro or disposable. Data parts are mounted in. For inter-VM-communication there are special Qubes tools:
Qubes component: core-agent-linux
Concerning Nix:
I wrote how to install Nix in a Qube
Hello there !
I’m just trying to gather some advice and opinions before trying to create a NixOS qubes template.
Having an available NixOS template would be incredibly beneficial for software developers using the platform and I’m looking to contribute. Either by starting the project from scratch or working with others who already started going down that path.
Basically the goal here would be to “automate” and standardize framework specific developer environments.
I’m looking for any advice, …
Implicit behavior. “Guest software” is highly dispersed on the system, which as mentioned in point 3 makes it difficult to create templates. And also complicates the work of the users themselves. For example Qubes configures iptables/nftables in each qube. And users have to guess why the network between qubes is not working. Also do you know how NetVM works in Qubes? Why can’t I as a user choose which interface to pass traffic through myself? Why are all qube’s on the same subnet 10.137.0.0/24? Why is the Qubes Firewall GUI missing some settings, including the UDP setting? Why is the size of /tmp tmpfs 1GB? Why does checking for updates with “update via tor” enabled check for updates without using tor? Why do I have to perform updates through the built-in update tool in Qubes?
I agree on the networking part in general. It’s a bit puzzling (to say the least). But for a start (even with some links on historical decisions):
Overall description In Qubes, the standard Xen networking is used, based on backend driver in the driver domain and frontend drivers in VMs. In order to eliminate layer 2 attacks originating from a compromised VM, routed networking is used instead of...
Introduction This page explains use of the firewall in Qubes 4.2, using nftables. In Qubes 4.1, all firewall components used iptables. For details of that usage see here Understanding firewalling in Qubes Every qube in Qubes is connected to the...
Qubes thinks that security is when you have an encrypted disk, I don’t think it’s safe, I don’t know how it is in Europe, but in CIS they will stick a soldering iron up your ass until you tell them the password.
Nothing could save you from that. It couldn’t be different with any other OS.
Xen hypervisor is not a panacea, many Qubes users switch to Libreboot/Heads and their analogs to protect themselves from hardware bookmarks in the processor. Which to me does not guarantee them any protection. You could take a better approach here
While that’s not about Xen or even Hypervisors in general … I’m using heads myself. Apart from AEM hardening it’s the nicer boot environment. Did you try it? What do you suggest?
I’m curious to see (and possibly try) it.
3 Likes