By CDAdmin Posted on

How to Build a Secure “Airlock” VM: Hyper-V Isolation with Internet Access

Square

Securing the “Airlock”: A Guide to Hostile VM Isolation in Hyper-V

Why build a Digital Airlock? In the world of cybersecurity, “isolation” is your best friend. This setup is designed for security researchers, malware analysts, and privacy enthusiasts who need to run potentially dangerous software without risking their primary computer or home network. By using Hyper-V’s internal networking and hardware-level Access Control Lists (ACLs), we create a barrier that is functionally equivalent to—and in many ways better than—a physical device like a Raspberry Pi. Unlike physical hardware, a VM allows for instant rollbacks via checkpoints.

Executive Summary

We are creating an Internal Virtual Switch that has no physical bridge to your router. We then turn your Host into a NAT Gateway, acting as a one-way valve: the VM can send data out to the internet, but it cannot “see” or “touch” any other devices on your local network. Finally, we apply Hardware ACLs to ensure that even if the Guest OS is compromised, it cannot bypass these rules.

Step-by-Step Setup Guide

Step 1: Create the Isolated Network

Open Hyper-V Manager and go to Virtual Switch Manager. Select Internal and click Create Virtual Switch. Name it Airlock-Internal-Switch.

Step 2: Configure the Host Gateway (PowerShell)

Open PowerShell as Administrator on your host (ALPHA-HOST) and run these commands to give the switch an identity and enable NAT:

# 1. Assign an IP to the Host side of the switch
New-NetIPAddress -IPAddress 192.168.100.1 -PrefixLength 24 -InterfaceAlias "vEthernet (Airlock-Internal-Switch)"

# 2. Enable the NAT service
New-NetNat -Name "AirlockNAT" -InternalIPInterfaceAddressPrefix 192.168.100.0/24

Step 3: Harden the VM Hardware

  • Disable Integration Services: In the VM settings, uncheck everything except Heartbeat. This cuts off “backdoors” like clipboard sharing.
  • Enhanced Session Mode: Turn this OFF in Hyper-V Server settings to prevent drive/printer sharing.
  • Remove Legacy Hardware: Remove the Diskette Drive and set COM Ports to “None.”
  • Automatic Actions: Set the VM to “Always start automatically” and “Shut down guest OS” on stop.

Step 4: Seal the Network with ACLs

This is the most critical security layer. We tell the virtual network card to drop any traffic heading toward your real home network (assumed here to be 192.168.68.x).

Add-VMNetworkAdapterExtendedAcl -VMName "OMEGA-GUEST" -Action Deny -Direction Outbound -RemoteIPAddress 192.168.68.0/24 -Weight 100

Step 5: Configure the Guest OS (Ubuntu)

Inside your guest VM (OMEGA-GUEST), manually assign the IP details:

  • IP Address: 192.168.100.10
  • Subnet Mask: 255.255.255.0
  • Default Gateway: 192.168.100.1
  • DNS: 8.8.8.8

Commands Summary

Command Purpose
New-NetNat Creates the “one-way valve” for internet access.
Set-NetConnectionProfile Sets the virtual adapter to Public, triggering max firewall protection.
Add-VMNetworkAdapterExtendedAcl The “Padlock.” Blocks traffic at the virtual hardware level.
shutdown /s /f /t 0 A “Cold Shutdown” to ensure routing tables are cleared.

Troubleshooting & Lessons Learned

Problem: The Guest can still ping the host’s real gateway.
The Fix: Go to Network Connections on the host, right-click the virtual switch properties, and uncheck “Bridge Driver.” Follow this with a cold restart (shutdown /s).

Problem: PowerShell says “Parameter cannot be found.”
The Fix: Use -RemoteAddress for outbound blocks instead of -DestinationAddress.

Problem: The VM name has spaces.
The Fix: Always wrap the VM name in double quotes, e.g., "OMEGA GUEST 1".

The Result

You now have a fully isolated Ubuntu guest that can browse the web but is effectively invisible to every other device on your physical network. Safe testing!

Leave a Reply