What are the different security requirements for hosted and bare-metal hypervisors?
You deploy a hypervisor on a physical platform in one of two ways -- either directly on top of the system hardware, or on top of the host's operating system. With the former method, the hypervisor effectively acts as the OS, and you launch and manage virtual machines and their guest operating systems from the hypervisor. Oracle VM Server, Citrix XenServer, VMware ESXi and Microsoft Hyper-V are all examples of Type 1 or bare-metal hypervisors. With the latter method, you manage guest VMs from the hypervisor. VMware Workstation and Oracle VirtualBox are examples of Type 2 or hosted hypervisors.
Read more on Type 1 and Type 2 hypervisor security
Assessing the vulnerability of your hypervisor
Virtual networking and hypervisor security concerns
Five tips for a more secure VMware hypervisor
Server OSes, such as Windows Server 2012, tend to be large and complex software products that require frequent security patching. Type 2 hypervisors are essentially treated as applications because they install on top of a server's OS, and are thus subject to any vulnerability that might exist in the underlying OS. A missed patch or update could expose the OS, hypervisor and VMs to attack. By comparison, Type 1 hypervisors form the only interface between the server hardware and the VMs. Bare-metal hypervisors tend to be much smaller than full-blown operating systems, which means you can efficiently code them and face a smaller security risk.
Type 2 hypervisors also require a means to share folders, clipboards and other user information between the host and guest OSes. Sharing data increases the risk of hacking and spreading malicious code, so VMs demand a certain level of trust from Type 2 hypervisors. In contrast, Type 1 hypervisors simply provide an abstraction layer between the hardware and VMs. The absence of an underlying OS, or the need to share user data between guest and host OS versions, increases native VM security. Type 1 hypervisors impose strict isolation between VMs, and are better suited to production environments where VMs might be subjected to attack.
Hosted hypervisors also tend to inefficiently allocate computing resources, but one principal purpose of an OS is resource management. Because Type 2 hypervisors run on top of OSes, the underlying OS can impair the hypervisor's ability to abstract, allocate and optimize VM resources. Bare-metal hypervisors, on the other hand, control hardware resources directly and prevent any VM from monopolizing the system's resources. Though not as much of a security concern as malware or hacking, proper resource management benefits the server's stability and performance by preventing the system from crashing, which may be considered an attack.
Dig Deeper on Virtualization security and patch management
Related Q&A from Stephen J. Bigelow
Microsoft Hyper-V on Windows comes with advanced protection schemes, including several virtualization-based security features the company introduced ... Continue Reading
The BitLocker encryption technology continues to evolve from its roots as a Windows Vista feature to protect resources both in the local data center ... Continue Reading
Some enterprises avoid the public cloud due to its multi-tenant nature and data security concerns. Learn what data separation is and how it can keep ... Continue Reading