kantver - Fotolia

How can VM configuration improve security?

Keeping your hypervisor patched is an obvious step to prevent attacks, but proper VM configuration management is also important to overall security.

How can I make my hypervisors, VMs and networks more secure?

There are just a few common practices that can help to secure the hypervisor and hosted virtual machines.

Start by always keeping the hypervisor patched with the latest version or update. For example, hypervisor developers like Xen have developed a detailed security protocol designed to guide the dissemination and response to Xen security vulnerabilities. If such evaluations result in a patch, it's important for organizations to test and deploy these security patches to prevent possible attacks.

Host and guest VMs each run an operating system, so it's also vital to keep operating systems updated with the latest security patches. When every VM runs the same OS, security flaws can magnify the risk of attack or exploit, so organizations that first evaluate and test patches should expedite security patch testing in order to avoid zero-day attacks. Change management tools can be invaluable for tracking vendors and versions, sending alerts when patches are available, and ensuring that every VM's operating system is accounted for.

Antimalware tools are typically installed in a host VM running on the hypervisor -- not on every VM. This boosts system performance because you don't wind up with multiple VMs scanning for malware at the same time. But it's critical to keep any antimalware tools updated; these may include virus checkers, firewalls and intrusion detection systems. Enable automatic updates and allow the antimalware tools to perform autonomous signature or reference file updates -- these may occur on a daily basis -- sometimes even several times a day.

VM configurations can also be hardened against attack. Most VMs are spun up using base images called golden images. Images include the VM configuration, such as open ports, included services and so on. In many cases, the gold image is inherently unsecure -- it may include unnecessary open ports. This often happens because the image arises in response to a certain workload which is replicated for other workloads without careful regard to the security configuration of the image. Not only can this increase the attack surface for the VM, it multiplies the risk across every VM created with that gold image. Review the gold image and check each attribute of the configuration -- it may be necessary to create a new hardened golden image for subsequent VMs. At the same time, it may also be necessary to review and adjust the configuration for running VMs to manually tighten each configuration.

VM configuration management doesn't stop once a new instance is cloned. Each VM's configuration should be monitored and managed throughout the entire lifecycle. Virtualization-aware tools like SolarWinds, Puppet and many others can help to control VM configurations in order to maintain the most secure posture. Tools should also be able to compile logs and alert administrators when configuration changes are detected.

Next Steps

Best practices for improving VM security

Securing VMs is still a dark art

Moving beyond traditional VM security practices

Dig Deeper on Server virtualization risks and monitoring