Sunday, December 1, 2024

Unplugging the Network

I ended up finding a use case for removing the network from something. It goes like this:

I have a virtual machine (guest) set up with nodejs and npm installed, along with @redocly/cli for generating some documentation from an OpenAPI specification. This machine has two NICs, one in the default NAT configuration, and one attached to a host-only network with a static IP. The files I want to build are shared via NFS on the host-only network, and I connect over the host-only network to issue the build command.

Meaning, there is no loss of functionality to remove the default NIC (the one configured for NAT), but it does cut npm off from the internet. That’s an immediate UX improvement: npm can no longer complain that it is out of date! Furthermore, if the software I installed happened to be compromised and running a Bitcoin miner, it has been cut off from its c2 server, and can’t make anyone money.

An interesting side benefit is that it also cuts off everyone’s telemetry, impassively.

I can’t update the OS packages, but I’m not sure that is an actual problem. If the code installed doesn’t have an exploit payload already, there’s no way to get one later. The vulnerability remains, but nothing is there to go after it.

P.S.: I could deactivate both NICs. Files could be shared using the hypervisor’s shared-folders system, and the actual build command could be run via console login. (If I could stand using Qwerty that long!) If the machine had a snapshot, I could shut it down by powering off and reverting to snapshot; then, I would not even need admin rights to run the appliance. The more I think about it… the more I like it.

No comments: