I got my new corporate laptop today, a Dell Latitude E6500, very nice computer. Working as a security consultant, I’m always on the road, connecting my laptop on customers or evil (free Wi-Fi access point or conference) networks . Fortunately, my company allows consultants, if they want, to manage their laptop by themselves (operating system choice and daily management). But, with some requirements: security (sounds logical) and compatibility with the corporate tools (mainly Microsoft Office based).
My previous laptop was based on Windows XP but I was too often running Linux guests under VMware with specific tools. With the new one, I decided to use Linux as native OS and run a Windows environment with the Microsoft tools under Virtualbox. I can’t run a 100% Microsoft free environment: As said above, I must be able to use corporate tools like VPN clients, Microsoft Outlook, Office and Visio. We recently switched to Office 2007 and I find the OpenOffice compatibility not perfect with the new file formats.
Ok, let’s go with the setup review…
The default BIOS setting were hardened and changed to:
- setup a power on password
- setup a BIOS admin password
- activate the TPM chipset (IBM worked on trusted computing on Linux)
- enable the CPU XP support
- disable all wake-up options (LAN, USB, …)
- define the boot sequence (only internal HD)
There are plenty of available Linux distributions. My choice was to go to Ubuntu. This distribution is very powerful, easy to use and frequently updated. As the environment will be used for business activities, I can’t loose time in investigations, reconfigurations or debugging! Ubuntu has a very broad type of hardware support. All the standard component of the E6500 are. Even the suspend mode worked out of the box!
At the moment, I did not investigated the Linux support for the extra hardware like the fingerprint scanner. But there are interesting info already published. When I’ll have free time!
The system will contain confidential customers data (network schema’s, reports, configurations, etc). Encryption is a requirement. There are two types of encryption: a full-system encryption (included the system disk) or data encryption (a dedicated partition or a virtual volume based on a flat file).
As the native OS is Linux, there is no need to encrypt the whole system. Why? Linux applications are highly configurable, we know where their data are stored (or we can reconfigure the application to meet our requirements). Windows applications are not so “customizable” and data are stored every where, even in c:\windows\system32! Linux is a free operating system, why encrypt publicly available information? (binaries, libraries, etc). Finally, a whole system encryption can have a negative effect on performance.
Under Linux, only the biggest file systems is encrypted: /data. It’s the biggest file system (75% of the whole disk size) and it contains all the sensitive material.
As we cannot trust Windows about the file locations, the virtual machines are stored on the encrypted file system.
Truecrypt was used to encrypt the data. Note that no automatic mount will be performed at boot time! The file system will be mounted manually once logged into Gnome.
Virtualbox is installed via the provided package (.deb) and configured to create the virtual disks on the encrypted file system. Why Virtualbox? Well, it’s free. IMHO, the seamless mode is much better than the one provided by VMware 6.5.
A standard Windows XP SP3 with Microsoft Office and other basic tools was installed. A subdirectory in /data is configured as a shared folder for the Windows guest. This way, I can safely exchange data between the two environments. Under Windows, the ‘My Documents’ mapping has been changed to a directory in this shared folder. Of course, Windows has been hardened too (anti-virus, anti-spyware, PSI, firewall, sandbox, etc).
I had some troubles to join my company domain via the VPN session (read my previous post about this problem) but everything looks ok now.
The network connectivity is managed on the Linux side (wired as wireless). Virtual machines are only connected using hide-NAT. A firewall is configured on the Linux side but the default XP firewall is kept enabled.
Other virtual hosts
My goal is to run as much as possible VirtualBox. The native Linux will be used for the day-to-day jobs as the Windows guest. All other operations will be performed via other virtual hosts to not pollute the base OS. Example, toolboxes like Backtrack or Samurai will be executed in other VMs.
Day to day usage
And now? I’m using this configuration for a few days now without major issue. Of course, some tools are still missing (I copied a full backup of my old disk in the new safe storage, so I can restore files if needed). The amount of unused files is incredible: a big cleanup will be necessary.
Regarding the files, I try to download data from the Internet from the Linux side and, if needed, the files are available on the XP environment via the virtual share. No need to install duplicate tools like a PDF reader.
What’s next? Well, nothing urgent but:
- I’d like to convert some old VMware guests to Virtualbox (it looks possible).
- Configure Ubuntu to use the[ Juniper|Checkpoint] SSL VPN portals (some extra libs are required).