1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
4
<chapter id="Security">
5
<title>Security guide</title>
8
<title>Potentially insecure operations</title>
10
<para>The following features of VirtualBox can present security
11
problems:<itemizedlist>
13
<para>Enabling 3D graphics via the Guest Additions exposes the host
14
to additional security risks; see <xref
15
linkend="guestadd-3d" />.</para>
19
<para>When teleporting a machine, the data stream through which the
20
machine's memory contents are transferred from one host to another
21
is not encrypted. A third party with access to the network through
22
which the data is transferred could therefore intercept that
27
<para>When using the VirtualBox web service to control a VirtualBox
28
host remotely, connections to the web service (through which the API
29
calls are transferred via SOAP XML) are not encrypted, but use plain
30
HTTP. This is a potential security risk! For details about the web
31
service, please see <xref linkend="VirtualBoxAPI" />.</para>
35
<para>All traffic sent over an UDP Tunnel network attachment is not
36
encrypted. You can either encrypt it on the host network level (with
37
IPsec), or use encrypted protocols in the guest network (such as
38
SSH). The security properties are similar to bridged Ethernet.</para>
40
</itemizedlist></para>
44
<title>Authentication</title>
46
<para>The following components of VirtualBox can use passwords for
47
authentication:<itemizedlist>
49
<para>When using the VirtualBox extension pack provided by Oracle
50
for VRDP remote desktop support, you can optionally use various
51
methods to configure RDP authentication. The "null" method is
52
very insecure and should be avoided in a public network.
53
See <xref linkend="vbox-auth" /> for details.</para>
57
<para>When using teleporting, passwords can optionally be used to
58
protect a machine waiting to be teleported from unauthorized access.
59
Note however that these passwords are stored <emphasis
60
role="bold">unencrypted</emphasis> in the machine configuration XML
61
and therefore potentially readable on the host. See <xref
62
linkend="teleporting" /> and <xref
63
linkend="vboxmanage-modifyvm-teleport" />.</para>
67
<para>When using remote iSCSI storage and the storage server
68
requires authentication, a password can optionally be supplied with
69
the <computeroutput>VBoxManage storageattach</computeroutput>
70
command. Note however that this is stored <emphasis
71
role="bold">unencrypted</emphasis> in the machine configuration and
72
is therefore potentially readable on the host. See <xref
73
linkend="storage-iscsi" /> and <xref
74
linkend="vboxmanage-storageattach" />.</para>
78
<para>When using the VirtualBox web service to control a VirtualBox
79
host remotely, connections to the web service are authenticated in
80
various ways. This is described in detail in the VirtualBox Software
81
Development Kit (SDK) reference; please see <xref
82
linkend="VirtualBoxAPI" />.</para>
84
</itemizedlist></para>
88
<title>Encryption</title>
90
<para>The following components of VirtualBox use encryption to protect
91
sensitive data:<itemizedlist>
93
<para>When using the VirtualBox extension pack provided by Oracle
94
for VRDP remote desktop support, RDP data can optionally be
95
encrypted. See <xref linkend="vrde-crypt" /> for details. Only
96
the Enhanced RDP Security method (RDP5.2) with TLS protocol
97
provides a secure connection. Standard RDP Security (RDP4 and
98
RDP5.1) is vulnerable to a man-in-the-middle attack.</para>
100
</itemizedlist></para>
added
removed
doc/manual/fr_FR/user_Security.xml
