question about security when using a virtual machine

I telecommute from home, and use Vista as a host for an XP guest virtual machine. The virtualization software is VMware Workstation. The computer is mine, but vmware, a vpn client, and everything else than runs inside the VM is provided by my employer.

I would like to know if there's any way for my employer to detect what is happening on the host machine while the vm is active....things like detecting or inspecting packets, seeing what's on the screen, keyboard logging, etc. And if it's possible how would I prevent it.

Thanks.

Generally the answer is no, at least not from within the VM. If they have you install something else on the host, that might be a different story.

yeah, you should be fine. The VM is in a sandbox so to speak.

Likely not, BUT...

It depends on how the network is setup. I've seen a few where the host traffic passes through the guest. Which is a funky way of doing it, but there you go. Were that the case, then the guest could sniff the host's traffic and get some diagnostic on it.

I would ask the IT guys at work to be safe. If it's your computer, then the albino midget horse pr0n you are worried about shouldn't be the company's concern.

Just wondering - how does VMWare handle the networking ? I know under Linux (xen) if you do network bridging you can inspect other virtual systems packets.

You really just hit the nail on the head; the answer is yes, but no.

As far as the VM itself, it is nothing more than a vmdk and vmx file on your computer and has no bearing on what the host machine is doing. With that said, your networking setup is what can open the breach that you're talking about. With workstation, you have the option of using Bridged, NAT, or Host only.

Bridged - connect directly to the specified NIC
NAT - share the host's network connection
Host-Only - only allow networking between the host and guest OS

You need to treat the networking connection between the guest and host OS the same way you would handle any physical network consideration to another networked PC with all of the security therein.

Thanks for the answers everyone, very informative.

Don't be so quick, guys...There are published exploits for guests that affect the host computer. That means that something that happens on the VM machine can affect the host machine, VMware is not a security measure, it's a tool.

Rabidfox said:

Don't be so quick, guys...There are published exploits for guests that affect the host computer. That means that something that happens on the VM machine can affect the host machine, VMware is not a security measure, it's a tool.

Click to expand...

I'm gonna needs some links.

Rabidfox said:

Don't be so quick, guys...There are published exploits for guests that affect the host computer. That means that something that happens on the VM machine can affect the host machine, VMware is not a security measure, it's a tool.

Click to expand...

...and its highly unlikely that anything his employer's VM does would be targeted to exploit some vulnerability to compromise the employee's personal system.

I do agree with Morfius and spongey's comments about the likely hood of a company trying to exploit a paid software product (VMware Workstation) to do such a thing.

The changelogs of VMware's products hint at exactly what Rabidfox mentioned. IIRC, the majority required a user to have complete control of a Linux guest OS (not the OP's OS). I'm not saying it's not possible, I'm saying that it's not probable that a VMware exploit would be used for monitoring -- GP, packet sniffing on the company's side, and other corporate-wide applications running in the VM is so much easier to maintain across a high volume of users.

I'm sure the net/sys admins who maintain and administer your VM systems have other crap to worry about, rather than what's going on with your host machine. If they cared, they would set you up on a split tunneling disabled VPN connection, and all traffic related to your VM and host would be routed through the company network. We do this at our company because we deal with extremely sensitive data that we can't allow out (although there are pretty easy ways to get around disabled split tunneling, unfortunately).

My guess is that your admins either don't have the time, or don't have the motivation (after all, most admins are lazy ), to monitor home client machines. Coming from an admin's POV, I wouldn't worry about anything. And if you're worried, disconnect from your VPN before you do your dirty deeds on the web.

Oh and, if you're worried about your work monitoring what you do on your host PC, the VM won't be the culprit to look for. The VM is completely sovereign. The thing to worry about is the way your VPN connection works.