Security-oriented Live CD's or virtualization tech can be used for any of these except the links between systems (eg guard, diodes). QubesOS lowers its attack surface by using Xen instead of a full Linux distro, albeit with risk in Dom0 & hardware attacks. That they isolate their firewall and such is a good thing. Linux or FreeBSD, more mature but larger attack surface, should include full usage of any hardening guides, software protections (eg Softbound, Control Pointer Integrity), mandatory access controls (eg SELinux, SMACK), device protection (eg IOMMU or PIO interface), and so on. Whatever the most paranoid people use basically and do this in any applicable parts of QubesOS as well.
You just want these systems hardened from attack as much as possible along with ease of detection and easy recovery. The disposable part means exactly what it says: the Internet-connected computer is the target and filter of the most risky functionality. It will be toast at some point, maybe often. So, use a throwaway device for it.
You just want these systems hardened from attack as much as possible along with ease of detection and easy recovery. The disposable part means exactly what it says: the Internet-connected computer is the target and filter of the most risky functionality. It will be toast at some point, maybe often. So, use a throwaway device for it.