VMWare ConfigurationThe configuration of a host operating system such as to provide isolation of a virtual machine (using VMWare) has been described in [Gom04]. This configuration provides the advantage that the host OS does not have an IP stack associated with the experimental network. The traffic from the experimental network is bridged directly into the virtual machines. Therefore, networked virtual machines see only other virtual machines; malicious code cannot attack a host OS directly through the network. Moreover, the virtual machines can be denied access to the control network interface.
The idea is to confine the virtual machines to the experimental network while allowing remote access and control through another network interface. Essentially, the VMWare settings are owned by root, so normal users can't change which network interface is used, and whether bridging or NAT is used, regardless of the settings of the guest machine. Therefore, VMWare is configured to use the two NICs on the experimental network in bridging mode. The host IP stack is disabled for those NICs. All other VMWare networks are disabled. Normal users can then run VMWare without changing the settings. This works for both VMWare workstation and GSX. Also, by making bridges created by root only available to User Mode Linux (UML) to the experimental network, the networking of UML images can be constrained.
[Gom04] Gonzalez Gomez D (2004) Installing a Virtual Honeywall using VMware.
|Guest Interface||VMware Network||Host Interface|