In setting up a VM, does the Bridged or NAT configuration provide more separation security?

I was going to post this as a comment but anyway. I've mentioned QubeOS earlier, sounds like something you may be interested in.

I thought I would mention something else: to isolate traffic on a physical network we have VLANs too. AFAIK QubeOS - like other virtualization solutions - uses Linux namespaces to achieve isolation. Although this is somewhat beyond the scope of your question you might be interested in these two concepts.

On Linux you have sandboxing tools like Firejail or nsjail that help you isolate applications by limiting what they can see and access. They work by taking advantage of the Linux containerization functions. If you choose to use a Linux distro other than QubeOS, you can use those tools. Be aware that some applications may malfunction and need a bit of tuning. Example: an app wants to access some data on the file system but it cannot see beyond your home directory. One thing I noticed with Firejail on my system is that VLC was not able to download subtitles (I have not yet bothered to fix this).

The reason why I am posting this is, is that the scope of your question goes beyond bridged or NAT networking, or firewalls. I would even say this is a moot point really. While network design is important there is a lot more that can be done to achieve your goal.

Strong security comes with a number of constraints. You have to find the right balance between security and convenience. If you implement any of the solutions proposed here, you should expect to run into some problems and sort them out on your own, which can be a daunting task for an "average" Linux user.

Regarding QubeOS, I don't have experience with it but I have a colleague using it. Seems that there are still stability issues or routing problems happening, so it is one distro for experienced Linux users. But it doesn't hurt to try.

Solved by user125626 (6,462 )
Jul 26, 2020 at 10:36