Information Security
vpn firewalls virtualization
Updated Fri, 20 May 2022 03:02:58 GMT

In setting up a VM, does the Bridged or NAT configuration provide more separation security?

I am setting up a few VM's (assume VirtualBox w/ Linux). They will all be on the same PC host (assume Linux) and the intent is to have all the VM's handle separate functions (business, personal finance, and personal) and have no connection to each other through the network or otherwise. I want to set them up in a way that creates the best security as far as separation from each other and the host. The host will function only to host the VM's. I would prefer to use one VPN subscription, which has been purchased anonymously. However, if this compromises the separation of these VM's, then I would consider changing the approach.

Given this setup, which method (Bridged or NAT) would work better as far as providing the least amount of leaked information between the VM's/Host?

Additional information:

The plan is to set up software firewalls allowing only outgoing connections for the VM's and the host. I am still looking into whether this is the best approach (secure and user-friendly approach).


I was going to post this as a comment but anyway. I've mentioned QubeOS earlier, sounds like something you may be interested in.

I thought I would mention something else: to isolate traffic on a physical network we have VLANs too. AFAIK QubeOS - like other virtualization solutions - uses Linux namespaces to achieve isolation. Although this is somewhat beyond the scope of your question you might be interested in these two concepts.

On Linux you have sandboxing tools like Firejail or nsjail that help you isolate applications by limiting what they can see and access. They work by taking advantage of the Linux containerization functions. If you choose to use a Linux distro other than QubeOS, you can use those tools. Be aware that some applications may malfunction and need a bit of tuning. Example: an app wants to access some data on the file system but it cannot see beyond your home directory. One thing I noticed with Firejail on my system is that VLC was not able to download subtitles (I have not yet bothered to fix this).

The reason why I am posting this is, is that the scope of your question goes beyond bridged or NAT networking, or firewalls. I would even say this is a moot point really. While network design is important there is a lot more that can be done to achieve your goal.

Strong security comes with a number of constraints. You have to find the right balance between security and convenience. If you implement any of the solutions proposed here, you should expect to run into some problems and sort them out on your own, which can be a daunting task for an "average" Linux user.

Regarding QubeOS, I don't have experience with it but I have a colleague using it. Seems that there are still stability issues or routing problems happening, so it is one distro for experienced Linux users. But it doesn't hurt to try.

Comments (1)

  • +0 – Thanks for the help! It sounds like a container inside a VM may offer some additional security if done right. Hopefully, the small amount of programs I will be using won't require many tweaks. I may venture into Qubes eventually. — Jul 27, 2020 at 01:10