How could a virtual machine in Ubuntu be more secure?

A couple of sources vaguely suggest that running a Windows virtual machine inside Linux provides added (online) security.

Are VMs more secure than containers?

Fight ransomware by running Windows in Linux as a virtual machine

Apart from protecting the Linux system from threats that occur inside the VM, are there any other added security benefits to running an operating system (Windows or otherwise) in a VM in Ubuntu? Or is the user just as vulnerable to online threats as they would otherwise be running that same OS outside of the VM?

Essentially, is the VM only protecting Ubuntu and adding no further protection to the experience inside the VM?


Solution 1:

Correct, the VM protects the machine it is running on, but not the virtual machine itself. The benefit comes from having a clean clone of your virtual machine so that if the virtual machine becomes corrupt, you can destroy it, load a copy of the clean clone ans start all over.

Solution 2:

There are a couple of different concepts here.

Firstly, the source that is comparing the security of running applications in a container, versus running them in a VM.

Containers could be described very simply as a lightweight alternative to a VM, in which applications in a container are isolated from applications outside the container, but they run on the same kernel. Therefore, it's not possible to run a different operating system in the container, such as Windows within Linux.

A VM on the other hand emulates a machine on which you could install any operating system you like (though there is some VM technology which can accelerate certain guest operating systems).

The second issue is whether Windows in a guest VM on a Linux machine is any more secure than Windows run on a machine itself, and the answer is probably no, at least not in the ways that count. While you are probably safe that nothing inside the VM can harm the host system, there is still a lot of damage that a malicious process could do inside the VM, including destroying files in the VM, launching network based attacks, spreading spam and worms, and so on. Running an operating system in a VM is not a substitute for ensuring it is secure and protecting it from malicious code, and is not very effective.

Solution 3:

Yes, you do have additional protection except "only" to protect the host. The idea is that inside the VM, you install/configure only the very least amount of features (whatever those may be - be it installed packages, network configuration etc.) that you need for that particular VM.

Also, you get a bit more expressive power for firewall rules (you can fine-tune what applications running inside the VM can do, network-wise). For example, you can have a VM specifically for your online banking; this would only have your online banking software installed, and the only firewall entry for the VM's IP would be the one to your bank. This does not protect your host system, but protects your online banking "experience" from any other package you may have installed on other VMs or the host - they have a harder time hijacking your session, and so on (depending on how this all is implemented technically, obviously, just take this as an example).

You would configure this VM in a way that would make it impossible to connect to it from the outside, and impossible to connect out from the VM to anything else (except for your banking server). It would not have general access to hardware, would not honor USB-plug&play requests, etc. etc.

This is the same kind of security you get by containerization in general, for example in microservice applications where everything is running in its own (Docker) container.