Today's hypervisors are an area where ubiquity is a good and a bad thing. Yet many IT professionals extol hypervisors' positives without acknowledging their hidden dangers. This tip outlines some of the security vulnerabilities created by a hypervisor's single point of failure and how you can protect your virtual machines.Hypervisors' single point of failure
A hypervisor in virtualization technologies such as Hyper-V creates a uniform surface to which you can attach virtual machines (VMs). Whether you install Hyper-V to a Dell server, an HP server or a white box that you built out of old parts and duct tape, the upward-facing surface of its hypervisor looks the same to every virtual machine. In any "enlightened" -- that is, virtualization-aware virtual machine -- VM's device manager, you'll see the Microsoft Virtual Machine Bus Video Device as the driver to power its display, while the Microsoft Virtual Machine Bus Network Adapter always handles networking. Yet that same uniform appearance for virtual machines has a downside. If an environment runs each of its VMs on top of the same piece of hypervisor code, it's dependent on that code's
This is the nightmare scenario for a virtualization environment. One day, 60 virtual machines merrily perform their assigned tasks across their Hyper-V hosts. But later that afternoon, somebody visits the wrong website or reads the wrong email and inadvertently launches an attack on every hypervisor. In a best-case scenario, the hypervisor itself merely crashes, taking down the 60 VMs but preserving their state. In a worst-case scenario, the skillful malware author would code the exploit's payload to corrupt VM disk files before invoking the crash. The result would be an immediate loss of IT services, followed by a lengthy restore from long-term backups.
Either scenario can occur because the hypervisor creates a distributed single point of failure. It is for this reason (among others) that Microsoft requires hardware data execution prevention as a prerequisite for Hyper-V installation. Hyper-V hosts and their residing virtual machines must be patched diligently. Microsoft will release updates for Hyper-V by making these updates available through Microsoft Update and Windows Server Update Services (WSUS).
Because of its position in the system stack, any installation of a hypervisor update is likely to require a system reboot or a short outage of virtual machines that reside on the host. A high-availability infrastructure is critical for all but the smallest of environments. When an entire environment resides on top of a potential target for malware attacks, running virtual machines must be able to relocate at any time to quickly patch their Hyper-V host.
Adding a few extra layers of protection to Hyper-V hosts is also a good idea. Enabling the Windows Firewall with Advanced Security on Hyper-V hosts and locking down their configuration inhibits the potential spread of malware. Regular backups for VMs also ease recovery from a zero-day attack. Segregate Hyper-V host networking from virtual machine networking (and from iSCSI traffic) to provide a logical separation of traffic for further tightening of security. Finally, review Microsoft's monthly patches to look for those that may relate to Hyper-V.
Since this problem isn't limited to Hyper-V. Any virtual platform that uses a hypervisor has single point of failure -- neither should your solutions. To that end, the next article in this series discusses how networking is affected by a move to virtualization. Hyper-V virtual networks are much different beasts from any physical network.
About the author
This was first published in September 2009