Virtualization Security
- Virtualization introduces new concerns about VM isolation
- virtualization tech is designed to enforce isolation strictly
Guest OS Security
- Each guest OS must be patched and protected against malware like any other OS
- Virtualization-specific solutions for running security applications through the host or hypervisor are available
Warning
- Ordinary antivirus software installed on the host will NOT detect viruses infecting the guest OS
- Scanning the virtual disks of a guest OS from the host could cause serious performance problems
A rogue VM is one that has been installed without authorization.
- System management software can be deployed to detect rogue builds
Virtual machine sprawl (VM sprawl) uncontrolled deployment of more and more VMs.
-
a large number of unused and abandoned VM servers
-
VMs should conform to an application-specific template with the minimum configuration needed to run that application
-
Images should not be developed or stored in any sort of environment where they could be infected by malware or have any sort of malicious code inserted
-
One of the biggest concerns here is of rogue developers or contractors installing backdoors or “logic bombs” within a machine image
Host Security
- host represents a single point of failure for multiple guest OS instances
- E.g., if the host loses power, three or four guest VMs and the application services they are running will suddenly go offline
Hypervisor Security
- hypervisor must also be monitored for security vulnerabilities and exploits
Virtual machine escape (VM escape) is when malware running on a guest OS escapes the VM isolation/sandbox to another guest or to the host.
- vital to keep the hypervisor code up to date with patches for critical vulnerabilities