How can I make my hypervisors, VMs and networks more secure?
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
There are just a few common practices that can help to secure the hypervisor and hosted virtual machines.
Start by always keeping the hypervisor patched with the latest version or update. For example, hypervisor developers like Xen have developed a detailed security protocol designed to guide the dissemination and response to Xen security vulnerabilities. If such evaluations result in a patch, it's important for organizations to test and deploy these security patches to prevent possible attacks.
Host and guest VMs each run an operating system, so it's also vital to keep operating systems updated with the latest security patches. When every VM runs the same OS, security flaws can magnify the risk of attack or exploit, so organizations that first evaluate and test patches should expedite security patch testing in order to avoid zero-day attacks. Change management tools can be invaluable for tracking vendors and versions, sending alerts when patches are available, and ensuring that every VM's operating system is accounted for.
Antimalware tools are typically installed in a host VM running on the hypervisor -- not on every VM. This boosts system performance because you don't wind up with multiple VMs scanning for malware at the same time. But it's critical to keep any antimalware tools updated; these may include virus checkers, firewalls and intrusion detection systems. Enable automatic updates and allow the antimalware tools to perform autonomous signature or reference file updates -- these may occur on a daily basis -- sometimes even several times a day.
VM configurations can also be hardened against attack. Most VMs are spun up using base images called golden images. Images include the VM configuration, such as open ports, included services and so on. In many cases, the gold image is inherently unsecure -- it may include unnecessary open ports. This often happens because the image arises in response to a certain workload which is replicated for other workloads without careful regard to the security configuration of the image. Not only can this increase the attack surface for the VM, it multiplies the risk across every VM created with that gold image. Review the gold image and check each attribute of the configuration -- it may be necessary to create a new hardened golden image for subsequent VMs. At the same time, it may also be necessary to review and adjust the configuration for running VMs to manually tighten each configuration.
VM configuration management doesn't stop once a new instance is cloned. Each VM's configuration should be monitored and managed throughout the entire lifecycle. Virtualization-aware tools like SolarWinds, Puppet and many others can help to control VM configurations in order to maintain the most secure posture. Tools should also be able to compile logs and alert administrators when configuration changes are detected.
Best practices for improving VM security
Securing VMs is still a dark art
Moving beyond traditional VM security practices
Dig Deeper on Server virtualization risks and monitoring
Related Q&A from Stephen J. Bigelow
RAID 5 and RAID 6 erasure coding, deduplication and compression are similar but distinct concepts that reduce data and maintain storage capacity in ...continue reading
To configure RAID 1, RAID 5 or RAID 6 erasure coding in VMware vSAN 6.2, an administrator must first choose the proper RAID protection settings.continue reading
RAID provides workload resilience and protects against data loss, but not all levels of RAID are made alike. What are the storage tradeoffs for RAID ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.