Air gaps and secure networks

I am a person with┬ámany interests. In one conversation, I’ll introduce myself as a new filmmaker. In another, I’m a seasoned theatre actor. Sometimes I give talks on Microsoft’s data platform products, SQL Server and Azure SQL Database. There’s another strong field of interest I have, which I don’t speak much about, and that’s information security (often shortened to infosec).

By no means am I a security expert. I use 1Password for managing my passwords and secure data between members of my company, and I use Cloak VPN when I connect to public Wi-Fi networks. My MacBook Pro’s hard drive is encrypted using FileVault. We have a guest Wi-Fi network at home to prevent non-residents gaining access to our smart lights and my NAS. I have passwords on my two computers’ screensavers.

I know I don’t do enough to keep everything as secure as possible, but I try.

Recently I’ve been watching the Pluralsight course Ethical Hacking (CEH Prep) (login required).

The very first thing in the course is setting up a secure lab environment, so that any tools used in the course are contained in that secure environment. This is the right way to do it, and I am using Hyper-V on my venerable Asus laptop to host these socially unacceptable virtual machines, away from my home network and away from the Internet.

This is called an “air gap”. Theoretically speaking, the virtual machines (guests) have no network access, and therefore there is air between them and a machine that is online. Practically speaking, this is untrue, because my laptop, which is hosting the guests, is online, but Hyper-V has segmented them on their own private network.

So this raises a question: How do I install applications on these guests if I’m not giving them access to any network? I don’t want to connect the guests to the Internet to download anything, firstly because of automatic updates (the lab environment must be predictable), and secondly because the guests may be compromised already, and it would be improper for me to expose compromised machines to the Internet (and my home network).

The answer, as with any air gap, is to do it the way we used to twenty years ago: burn files to CD-ROM or a USB drive, and then access that device from the guest.

Using Hyper-V (and other modern virtualization technology), it is trivial to connect a CD-ROM, USB drive, or disk image to a virtual machine. My challenge, in this “clean-room” laboratory that I’ve set up, is that I have no software on my host operating system. All I want to do is download the files to the host and then make them available to the guest virtual machines.

In the Pluralsight course, the way the presenter did this was to make a network share available from the host to the virtual machines. I decided against this, because it does not keep the lab environment completely separate.

The only other machine I can use is my MacBook Pro, which means having to copy files over the network to my host, which I want to avoid.

I decided to create a virtual hard drive (VHD), which is natively supported on all modern versions of Windows, as well as Hyper-V.

On the host, I created a VHD using the DISKPART command, which is built into Windows.

From the commandline, type diskpart to open it. At the DISKPART> prompt, type:

DISKPART> create vdisk file="D:\Temp\airgap.vhd" maximum=1024

This creates a 1GB virtual hard drive on my host, which I will use to store files that I want to install on the guest. However, before I can use this container file, I have to partition and format it.

Attach the new virtual disk we have just created:

DISKPART> attach vdisk

Create a primary partition on the virtual disk:

DISKPART> create partition primary

Select the partition:

DISKPART> select partition 1

Assign it a drive letter (I used Z: but you can use any available drive letter):

DISKPART> assign letter=z

At this point, Windows will pop up a dialogue box informing us that an unformatted drive has been detected. We can use this box to format the drive, using the default values.

Once the drive is formatted, we can transfer downloaded files to this new VHD.

The next step is using the VHD on the guest. To do that, once the files have been copied, we can detach the disk from the host using DISKPART again.

DISKPART> detach vdisk

This closes all open handles to the VHD, so that we can access it elsewhere.

In Hyper-V, or whichever virtualization host you’re using, the first thing to note is that VHDs cannot be added to virtual machines while they are running, so I have to make sure the guest is shut down.

We then add the VHD as a second hard drive to the guest’s configuration and start up the virtual machine. The VHD is already formatted, and it will receive a drive letter automatically when the operating system has started, so it will be accessible immediately. We can just run the applications or installation from that new drive as if we had downloaded the files directly to the guest.

To make changes to the VHD, we have to shut down the guest and then use DISKPART to attach to the VHD again. It is good practice to take all necessary precautions when attaching the VHD to your host again, because although the guest is turned off, there’s no guarantee that the VHD hasn’t been infected with something.

If you need to add new files, it would be better to create a new VHD instead. Treat the VHD with the same level of trust as a USB drive you find in a parking lot.

If you’d like to read additional technical posts, check out my blog on Born SQL.

Why not to overthink a problem

I’ve recently become the proud owner of a 27″ iMac, with the i5 quad core processor and 8GB RAM. It’s faster than stink, and I love it.

Unfortunately, my background does not permit me a full move to Mac OS X, because I have written several applications for Windows, and I must support SQL Server databases for several customers.

So … laziness dictated (it’s a known fact that all software developers are lazy, otherwise they wouldn’t spend so much time trying to do so much with so little code) that instead of installing a brand new virtual machine running Windows XP Professional, I would simply reuse the one from my Windows 7 install (Virtual XP), and do an in-place upgrade using my Action Pack licence to get around the licencing issues.

In other words, I wouldn’t have to reinstall SQL Server and Visual Studio, and copy over all my files and code.

It worked beautifully. Except, for some reason, my virtual machine seemed to be shutting itself down every night around the same time. At first I thought it might be the Windows Activation thing getting confused, because I was doing something unusual.

But, after rerunning the in-place upgrade with an XP SP3-streamed install last night, and reactivating my OS, the machine shut down all by itself tonight at 11:17pm. I know, because last night I checked when it happened, and tonight I made a special note to see if it happened again at the same time.

Sure as bears in woods and Catholic Popes, it was a definite recurring problem. Was the OS infected? I checked. Was the activation a problem? I couldn’t think why it would be, and I reactivated to make sure.

So I went onto Google, my saviour. I call it that because Google has saved my job many times. Tonight, I searched for “XP shutting down same time every day”. The first few pages were garbage, but then … oh yes, then …

“Check if you have any scheduled tasks that might be shutting down your computer” in some or other forum.

*Click* goes the brain, and let me explain why.

I wrote a little application called ShutOff 2000. For the past few years, I’ve been working here and there on its replacement, ShutOff 2010. One of the new features of ShutOff 2010 is its integration into the Windows Task Scheduler for all versions of Windows, from lowly XP up to 2008 R2.

And because I do my best work at night, I had tested it to shut down every night at 11:17pm, just to see if it was saving the scheduled task correctly.

And then I forgot about it.

Until tonight.

Yes, you may laugh at me.