Tip

Focus on hypervisor security to keep your virtual data center safe

Maintaining hypervisor security is a high priority in any data center because a single host server might handle dozens of virtualized workloads. A security breach against a single host could result in a major outage. Unfortunately, there is no such thing as a single, comprehensive security solution guaranteed to keep your data center secure. Good hypervisor security takes a multi-pronged approach, and there are a number of different things that you should do to keep your virtual server environment secure.

Reduce the host's attack surface

One of the first steps to take to secure your virtual data center should be to reduce the attack surface of your hosts. This is especially important in Hyper-V environments because Hyper-V is often installed as a role on a Windows server. If your virtualization hosts do make use of a host operating system, then the operating system should not contain any unnecessary roles, features or applications. The host operating system should be dedicated solely to running Hyper-V and critical infrastructure components such as antivirus software or backup agents.

More on hypervisor security

    Requires Free Membership to View

Hyper-V virtualization security guidelines

Developing a virtual security plan

Guarding against virtualization security risks

Another thing you can do to improve hypervisor security is to avoid joining the operating system to a production domain. Instead, create a special management domain in a dedicated Active Directory forest for the sole purpose of managing your virtualization hosts. This type of domain allows you to use management products that require domain membership, but you will not have to worry about exposing your production domain if a host server is compromised. Incidentally, it is a good idea to use physical domain controllers for the virtualization host management domain.

It's best to avoid using a host operating system if possible, but if you have a compelling reason to use one, then Microsoft recommends using a Server Core deployment because of its small attack surface. It also recommends you use a dedicated physical network adapter for the host operating system so that management traffic is isolated from virtual machine (VM) traffic.

Consider virtual firewalls for hypervisor security

Making use of virtual and software firewalls can also help ensure hypervisor security. In most hypervisors, the VMs do not communicate directly with the physical network. Instead, VMs connect to a virtual switch, which connects to a physical network adapter. In this type of architecture, every VM that shares a physical network adapter also shares a common virtual switch. This means that if two VMs need to communicate with one another, the packets do not necessarily have to traverse the physical network.

If the two VMs share a common virtual switch, then the traffic may flow directly from one VM to another without ever passing through the physical network, and hardware firewalls never have a chance to inspect the packets. The best way to overcome this deficiency is to create virtual firewalls (if such a feature exists in your virtualization platform) or to install software firewalls on all of your VMs.

Control your resources to prevent denial-of-service attacks

One of the biggest threats to hypervisor security is denial-of-service attacks. In a virtual server environment, several VMs share a finite pool of hardware resources on a host server. If any one of these VMs consumes excessive hardware resources, then the other VMs may not be able to function properly. For this reason, it is relatively easy for an attacker to cause a major outage by running a DoS attack against a single virtual server.

The way to protect your virtualized environment against such an attack is to put controls in place that prevent any single VM from consuming an excessive amount of physical hardware resources. Although administrators commonly put such controls in place for memory consumption, they often neglect to put similar controls in place for other hardware resources.

The actual controls an administrator can use vary considerably from one hypervisor to another. However, most hypervisors will allow you to limit the amount of memory and CPU time that a VM can consume.

For the most part, securing a virtual data center is like securing a physical data center. Most of the security best practices that apply to physical environments are valid in virtual environments as well. There are, however, some additional precautions that an administrator should take to maintain hypervisor security, especially if host operating systems are used on virtualization hosts.

This was first published in January 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.