Add IDS-VM as a defensive networking mechanism #422

riskuuse · 2023-12-20T12:00:06Z

Description of changes

This PR adds a new VM that enables defensive mechanisms to internal network as well as to outgoing network. This is going to replace the earlier draft pull request PR #146.

Initially it utilizes mitmproxy toolset to monitor http and https traffic.
It establishes a web interface for the tool using mitmweb tool. The interface can be launched from the gui-vm by running command 'mitmweb-ui'. The web interface uses ssh-tunnel to securely pass on the interface.
The chromium-vm launcher is patched so that it does not create warnings or errors due to certificate created by mitmproxy without relaxing web security too much.
Also snort and tcpdump packages are included to ids-vm.

Checklist for things done

Testing

After boot configure WiFi normally if necessary.
Open Chromium and browse for a while.
- Notice the warning prompt about unsupported command-line flag. This is tradeoff between installing CA certificate manually
  and ignoring certificate warnings entirely.
Open GUI-VM terminal and run command 'mitmweb-ui' and type in ssh username(ghaf) and password(ghaf) when requested.
A new browser window opens with web interface of mitmproxy and you can see http(s) flows.
- Notice that you will see recorded flows of your previous browsing and real time flows.

leivos-unikie · 2024-01-10T13:36:26Z

Tested the mitproxy interface while browsing
All apps launch (except Gala)
Ran ci-test-automation test suite -> pass

riskuuse · 2024-01-11T11:22:52Z

Removed some .license -files now with 40b6688, since PR #429 has been merged.

modules/virtualization/microvm/idsvm.nix

modules/virtualization/microvm/guivm.nix

overlays/custom-packages/mitmweb-ui/default.nix

overlays/custom-packages/default.nix

packages/mitmweb-ui/default.nix

riskuuse · 2024-04-18T07:12:09Z

Both ids-vm and mitmproxy made now optional and disabled by default. The mitmproxy is now introduced as a module for ids-vm.
Also some network settings are unified.

targets/lenovo-x1/appvms/gala.nix

modules/microvm/virtualization/microvm/idsvm/idsvm.nix

vilvo

Design could be moved to GA-space according to the new process but it's there in the PR so I'll leave it to the integration
Please check and cherry-pick/include the two commits I commented related to VMM and timeZone.

leivos-unikie

Tested on Lenovo-X1

mitmweb-ui works
Apps launch
ci-test-automation run ok

mbssrc

Looks good! Just an FYI - the certificate warning goes away when using the flag --test-type.

riskuuse · 2024-05-02T13:41:02Z

Rebased with 6fd3643

- Adds new virtual machine called ids-vm to Lenovo X1 target. - If enabled, sets it as a default gateway for other VMs except for net-vm. - Adds mitmproxy as a module to ids-vm to monitor http and https traffic. - Creates a web interface to the mitmproxy. - Sets Chromium to ignore self-signed CA certificate generated by mitmproxy. - Adds mitmproxy CA certificate to gala-vm to enable login. - Both ids-vm and mitmproxy module are disabled by default. Signed-off-by: Risto Kuusela <risto.kuusela@unikie.com>

barnabakos · 2024-05-04T07:05:41Z

ci-test-automation passed;
apps launch;
mitmweb-ui works

riskuuse temporarily deployed to internal-build-workflow December 20, 2023 12:00 — with GitHub Actions Inactive

riskuuse had a problem deploying to external-build-workflow December 20, 2023 12:00 — with GitHub Actions Failure

riskuuse force-pushed the ids-vm-refactored branch from 11e4111 to a85b68f Compare December 20, 2023 14:56

riskuuse temporarily deployed to internal-build-workflow December 20, 2023 14:56 — with GitHub Actions Inactive

riskuuse had a problem deploying to external-build-workflow December 20, 2023 14:56 — with GitHub Actions Failure

riskuuse force-pushed the ids-vm-refactored branch from a85b68f to 7f9f777 Compare December 21, 2023 08:39

riskuuse temporarily deployed to internal-build-workflow December 21, 2023 08:39 — with GitHub Actions Inactive

riskuuse temporarily deployed to external-build-workflow December 21, 2023 08:39 — with GitHub Actions Inactive

riskuuse requested a review from unbel13ver December 21, 2023 08:55

riskuuse force-pushed the ids-vm-refactored branch from 7f9f777 to f9fafb1 Compare January 8, 2024 09:28

riskuuse temporarily deployed to internal-build-workflow January 8, 2024 09:28 — with GitHub Actions Inactive

riskuuse had a problem deploying to external-build-workflow January 8, 2024 09:28 — with GitHub Actions Failure

riskuuse marked this pull request as ready for review January 8, 2024 09:29

riskuuse requested a review from vilvo January 8, 2024 09:29

riskuuse force-pushed the ids-vm-refactored branch from f9fafb1 to dca4b2f Compare January 9, 2024 07:50

riskuuse temporarily deployed to internal-build-workflow January 9, 2024 07:50 — with GitHub Actions Inactive

riskuuse had a problem deploying to external-build-workflow January 9, 2024 07:50 — with GitHub Actions Failure

leivos-unikie added the Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon label Jan 10, 2024

riskuuse force-pushed the ids-vm-refactored branch from dca4b2f to 40b6688 Compare January 11, 2024 11:14

riskuuse temporarily deployed to internal-build-workflow January 11, 2024 11:14 — with GitHub Actions Inactive

riskuuse had a problem deploying to external-build-workflow January 11, 2024 11:14 — with GitHub Actions Failure