What are the different security requirements for hosted and bare-metal hypervisors?
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
You deploy a hypervisor on a physical platform in one of two ways -- either directly on top of the system hardware, or on top of the host's operating system. With the former method, the hypervisor effectively acts as the OS, and you launch and manage virtual machines and their guest operating systems from the hypervisor. Oracle VM Server, Citrix XenServer, VMware ESXi and Microsoft Hyper-V are all examples of Type 1 or bare-metal hypervisors. With the latter method, you manage guest VMs from the hypervisor. VMware Workstation and Oracle VirtualBox are examples of Type 2 or hosted hypervisors.
Read more on Type 1 and Type 2 hypervisor security
Assessing the vulnerability of your hypervisor
Virtual networking and hypervisor security concerns
Five tips for a more secure VMware hypervisor
Server OSes, such as Windows Server 2012, tend to be large and complex software products that require frequent security patching. Type 2 hypervisors are essentially treated as applications because they install on top of a server's OS, and are thus subject to any vulnerability that might exist in the underlying OS. A missed patch or update could expose the OS, hypervisor and VMs to attack. By comparison, Type 1 hypervisors form the only interface between the server hardware and the VMs. Bare-metal hypervisors tend to be much smaller than full-blown operating systems, which means you can efficiently code them and face a smaller security risk.
Type 2 hypervisors also require a means to share folders, clipboards and other user information between the host and guest OSes. Sharing data increases the risk of hacking and spreading malicious code, so VMs demand a certain level of trust from Type 2 hypervisors. In contrast, Type 1 hypervisors simply provide an abstraction layer between the hardware and VMs. The absence of an underlying OS, or the need to share user data between guest and host OS versions, increases native VM security. Type 1 hypervisors impose strict isolation between VMs, and are better suited to production environments where VMs might be subjected to attack.
Hosted hypervisors also tend to inefficiently allocate computing resources, but one principal purpose of an OS is resource management. Because Type 2 hypervisors run on top of OSes, the underlying OS can impair the hypervisor's ability to abstract, allocate and optimize VM resources. Bare-metal hypervisors, on the other hand, control hardware resources directly and prevent any VM from monopolizing the system's resources. Though not as much of a security concern as malware or hacking, proper resource management benefits the server's stability and performance by preventing the system from crashing, which may be considered an attack.
Dig Deeper on Virtualization security and patch management
Related Q&A from Stephen J. Bigelow
Not all hypervisors and OSes can play nice with others. The best method for avoiding complications down the road is to thoroughly test your nested ...continue reading
Theoretically, there is no limit on how 'deep' a nested VM can go. The best way to avoid any confusion is to appropriately label hypervisor nesting ...continue reading
Interested in giving nested virtualization a try in your data center? There are a few software and hardware requirements you'll have to meet first.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.