I read on the ‘comparison with others’ page that there could exist some vulnerability even in a physically isolated whonix system which would allow malware on the workstation to infect the gateway, revealing the user’s identity. I’m definitely not an expert, so I’m not aware how exactly such a virus would work. Would it involve some kind of network worm, such as Scalper/Sasser? If so, how could I prevent such malware from being communicated, besides the obvious step of using iptables? Additionally, how badly would my anonymity be damaged if my gateway (not the workstation) was infected by something like Scalper/Sasser by say picking it up while on an insecure public network? Would adding a third physically isolated computer in front of the gateway prevent such a worm from infecting the gateway or workstation (as it would infect the third computer instead)? Is this setup what is mentioned on the ‘advanced security guide’ page under “DMZ” (Advanced Security Guide - Whonix)? Finally, would using an ethernet wired connection between the gateway and the workstation (the recommended option) do anything to prevent the spread of a worm on the Whonix ‘network’, or would it be identical to a wireless WiFi LAN in that respect?
Also, when I asked this question on a different forum, one user stated that a “physically isolated” Whonix system isn’t actually physically isolated, but is only protected by a “weak logical isolation.” Is this correct?
I don’t think you can have any kind of generic malware protection, iptables or otherwise. The usual hardening is most you can do.
It really depends on how the malware spreads. If it exploits a hypothetical issue in the Linux kernel’s network stack, then no number of Linux kernel based physically isolated machines that pass the traffic would help.
No, this is not what DMZ does. Also DMZ is not unbeatable. Best you can do is physical isolation of networks, but this is uncomfortable. Most times don’t have two TAE and don’t like to physically switch back and forth.
I don’t know what “weak logical isolation” means and how it would differ from “physical isolation”. The term “physical isolation” isn’t perfect either.
From About Computer (In)Security
[url=http://wiki/Physical_Isolation]Physical Isolation[/url] in the sense of Whonix is not a new idea, see [url=http://www.cs.utexas.edu/ftp/boyer/cli-reports/070.pdf]Verifiable Computer Security and Hardware: Issues by William D. Young. September 1991 (PDF!)[/url] page 18 for a summary. It seems like the idea was rediscovered by Whonix (independently, and we came up with the same term), to our knowledge Whonix is currently the only project following this approach in a defined way.
Before that we called it “bare metal”, which is worse, because it doesn’t communicate the idea of isolation and because physical isolation can be combined with virtualization.
In the case that the malware involved a worm exploiting a Linux networking vulnerability, would grsecurity/PaX provide any kind of protection? I know it makes the kernel more difficult to attack, but most of the protections I’ve read about seem to relate to preventing privilege escalation.
Besides exploiting a vulnerability in the network stack (I suppose that would involve some kind of networking worm?), are there any other vulnerabilities that could allow malware to spread between two physically isolated Whonix components? Besides the general hardening tips, are there any other ways to prevent exploitation?
Regarding the DMZ, besides making the rest of the Whonix system invisible to the rest of the public network, what other benefits does it provide?
are there any other vulnerabilities that could allow malware to spread between two physically isolated Whonix components?
No known ones, but a hypothetical vulnerability in all other components that process something such as Tor.
Besides the general hardening tips, are there any other ways to prevent exploitation?
The general hardening tips should keep you busy for quite some time.
Yes and no. Generally, any tips to make your system more secure are to be found under the topic “hardening”. Sure, there are other ways to make thing safer. It’s not like IT reached even remotely the security maximum. But those are super difficult and super expensive. Not sure how useful it is to reference even less realistic, more theoretic stuff. (A lot hardening steps are so difficult, I am wondering how many apply those.) Stuff like “merge grsecurity into Linux mainline”, “make Linux a micro kernel”, “make Linux the new xen”, “l4 kernel”, “other micro kernel” etc.
Regarding the DMZ, besides making the rest of the Whonix system invisible to the rest of the public network, what other benefits does it provide?
Only what's being said in https://www.whonix.org/wiki/Advanced_Security_Guide#DMZ.