Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can VM configuration improve security?

Keeping your hypervisor patched is an obvious step to prevent attacks, but proper VM configuration management is also important to overall security.

How can I make my hypervisors, VMs and networks more secure?

There are just a few common practices that can help to secure the hypervisor and hosted virtual machines.

Start by always keeping the hypervisor patched with the latest version or update. For example, hypervisor developers like Xen have developed a detailed security protocol designed to guide the dissemination and response to Xen security vulnerabilities. If such evaluations result in a patch, it's important for organizations to test and deploy these security patches to prevent possible attacks.

Host and guest VMs each run an operating system, so it's also vital to keep operating systems updated with the latest security patches. When every VM runs the same OS, security flaws can magnify the risk of attack or exploit, so organizations that first evaluate and test patches should expedite security patch testing in order to avoid zero-day attacks. Change management tools can be invaluable for tracking vendors and versions, sending alerts when patches are available, and ensuring that every VM's operating system is accounted for.

Antimalware tools are typically installed in a host VM running on the hypervisor -- not on every VM. This boosts system performance because you don't wind up with multiple VMs scanning for malware at the same time. But it's critical to keep any antimalware tools updated; these may include virus checkers, firewalls and intrusion detection systems. Enable automatic updates and allow the antimalware tools to perform autonomous signature or reference file updates -- these may occur on a daily basis -- sometimes even several times a day.

VM configurations can also be hardened against attack. Most VMs are spun up using base images called golden images. Images include the VM configuration, such as open ports, included services and so on. In many cases, the gold image is inherently unsecure -- it may include unnecessary open ports. This often happens because the image arises in response to a certain workload which is replicated for other workloads without careful regard to the security configuration of the image. Not only can this increase the attack surface for the VM, it multiplies the risk across every VM created with that gold image. Review the gold image and check each attribute of the configuration -- it may be necessary to create a new hardened golden image for subsequent VMs. At the same time, it may also be necessary to review and adjust the configuration for running VMs to manually tighten each configuration.

VM configuration management doesn't stop once a new instance is cloned. Each VM's configuration should be monitored and managed throughout the entire lifecycle. Virtualization-aware tools like SolarWinds, Puppet and many others can help to control VM configurations in order to maintain the most secure posture. Tools should also be able to compile logs and alert administrators when configuration changes are detected.

Next Steps

Best practices for improving VM security

Securing VMs is still a dark art

Moving beyond traditional VM security practices

This was last published in May 2016

Dig Deeper on Server virtualization risks and monitoring

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What third-party tools do you use to manage VM configuration and security?
Cancel

-ADS BY GOOGLE

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close