Your virtual environment has two types of networking to design and configure:
- Physical Networks – How your VMware host connects to other resources outside of the virtual environment, e.g. The Internet.
- Virtual Networks, routing, switching and interfaces – How your VMware virtual machines connect to each other, the host and non-virtual entities, e.g. The Internet.
VMware Physical Networking
In VMware Workstation, the host is a normal Windows PC/server in every sense of the word. It just happens to be running the VMware Workstation Pro application. In turn, the network interfaces of the host connect to the outside world in the normal way and are configured exactly the same. What is different is that you will see some additional virtual interfaces appear in your list of interfaces in Windows and will also see additional VMware network drivers on your physical NICs (network interface cards).
In the image below (from a Windows 10 machine running VMware Workstation Pro) you can see a “VMware NAT Interface” virtual network card for NAT that VMware has added, along with the “VMware Bridge Protocol” bridging driver that VMware has added to the ethernet interface to allow bridging connections. (N.B. If bridging ever stops working for some reason, check to see that driver is still there. If not, click “Install” and add it back in.)
The good news is that there isn’t really anything to configure for the physical side of things. Just remember that you’re hosting dangerous malware on this machine and you may want to fully isolate its traffic from the production network. In that case, look at vlan separation or physical firewall port separation so that all ingress/egress traffic for this host and its guests can be controlled by a network firewall.
VMware Virtual Networking
Types of Networking Interfaces
Within VMware there are three types of virtual networks
- NAT (Network Address Translation)
The image below shows the VMware workstation Virtual Network Editor. Note the various options available and the different types of network types to choose from.
Each virtual network interface in a virtual machine is assigned to one of these three types.
- A Bridged interfaced will place the VMware guest’s virtual network directly in the physical network. This configuration allows all devices on the physical network to communicate with the guest. There are almost no circumstances that this configuration should be used while testing an AV product or any malware. Essentially, bridging connects the guest VM directly to the ethernet/wifi network. This means that any DHCP, broadcasts or anything else that is on that network will reach the guest. Equally, the guest can connect freely to resources on the physical network.
- A NAT interface will allow access to the physical network by sharing the address of the hosting machine. This setup provides access to the Internet through the physical infrastructure. Typically, your physical device will be assigned the address of X.X.X.1 on the NAT network. This puts the host and guest on the same virtual network through virtual interfaces on the physical device. This means that the VM can only communicate out of the virtual network. The host is performing NAT and the external devices to the virtual network have no routing information back to the guest. This network configuration is best used to allow guests access to the physical network, while limiting inbound network traffic. Use NAT to “hide” your guest on a separate network behind the host. This forces all traffic “through” the host, where routing and IP address mapping will take place.
- A Host-Only or Custom Network interface will allow for communications between all devices located on that network segment. It is important to note that these devices should not have access to the Internet or physical network. To better isolate the guest, the physical device’s virtual interface can be removed from these network segments. This configuration is best used to set up a virtual network that will be isolated from the physical network. Essentially, Host Only networks make connections between virtual guests, and to the host. They are purely internal virtual environment networks. They do not provide a route out, through the host to the physical network or the Internet. They only connect VMware components together.
Choosing the Best Interface
It is strongly recommended to always test on a network that is separated from production. Host-Only or Custom Network interfaces are established if the hosting device is segmented from the production network and no Internet connectivity is necessary. Configure a NAT interface if Internet connectivity is required for testing.
For more complex and secure setups, a hybrid of the two interfaces can be used. For instance, the testing virtual machine and a virtual firewall guest such as PfSense could be placed on a Host-Only or Custom Network segment. Once this is established, configure the Firewall guest to have an additional interface attached to the NAT network. The Firewall VM should be configured to route AV test VM traffic from the Host-Only or Custom Network through to the NAT network, while strict firewall rules should be in place to ensure that traffic does not communicate with any of your physical devices.