By Colin Steele, Senior Site Editor
To build and maintain a secure virtual environment, you have to go above and beyond traditional security measures.
If a host is attacked, it can expose multiple VMs.
Secure virtualization involves not only the virtual infrastructure -- storage, networking and so on -- but also the virtual machines (VMs) and applications running within. Some traditional security technologies may suffice to secure a virtual environment. But others, such as antivirus software, can cause major headaches when applied to VMs.
Let's go over some frequently asked questions about secure virtualization. For more information on building and maintaining a secure virtual environment, check out these best practices for server virtualization security.
How should I handle patch management in my virtual infrastructure?
Patching your virtual host servers is an important part of maintaining a secure virtual environment. First, you need to know where to find the appropriate patches. This task used to be a challenge, but now all the major virtualization vendors make host server patches readily available on their websites.
Once that's taken care of, coordination is key, because server patch management in a virtual infrastructure affects multiple systems. If a certain patch requires a reboot or shutdown, for example, you have to account for this downtime. In these situations, one way to prevent application downtime is to use clusters. With a cluster, you can move a VM off a host when it needs patching.
Why aren't traditional security measures enough to protect VMs?
Virtualization creates an additional layer inside an IT infrastructure. Security software designed for physical environments can't see what's going on in this layer, which leaves it vulnerable. Therefore, virtual machine security requires additional technologies designed specifically to protect and monitor this layer. Secure virtualization also requires strong protection on the network; if a host server is attacked, it can expose multiple VMs.
How can I stop antivirus scans from dragging down my virtual infrastructure performance?
When it comes to secure virtualization, antivirus scans are crucial. But they consume a lot of resources, and if multiple VMs run them concurrently, they can bring the host to a standstill. As a result, some admins just stop running scans on their VMs altogether.
Don't just give up on running scans. There are several ways to reduce the performance hit from antivirus scans. For example, there are some directories, file extensions and processes that don't need to be scanned, so add them to the exclusion list. You should also schedule scans for a time when hosts use as few resources as possible, and choose antivirus software that uses as little memory and CPU as possible.
What are some tips for maintaining a secure virtual environment running Microsoft Hyper-V?
There are several security best practices for Hyper-V. When it comes to network protection, place the management functions on a separate physical network, which makes the virtual hosts less vulnerable. The virtual hard disks are protected by default, but if you store them in a different location, make sure that folder has the appropriate permissions as well. And group similar VM workloads together on separate hosts, so that vulnerabilities in basic applications don't expose tier-one apps to attack.
This was first published in September 2010