What are the different security requirements for hosted and bare-metal hypervisors?
You deploy a hypervisor on a physical platform in one of two ways -- either directly on top of the system hardware, or on top of the host's operating system. With the former method, the hypervisor effectively acts as the OS, and you launch and manage virtual machines and their guest operating systems from the hypervisor. Oracle VM Server, Citrix XenServer, VMware ESXi and Microsoft Hyper-V are all examples of Type 1 or bare-metal hypervisors. With the latter method, you manage guest VMs from the hypervisor. VMware Workstation and Oracle VirtualBox are examples of Type 2 or hosted hypervisors.
Read more on Type 1 and Type 2 hypervisor security
Assessing the vulnerability of your hypervisor
Virtual networking and hypervisor security concerns
Five tips for a more secure VMware hypervisor
Server OSes, such as Windows Server 2012, tend to be large and complex software products that require frequent security patching. Type 2 hypervisors are essentially treated as applications because they install on top of a server's OS, and are thus subject to any vulnerability that might exist in the underlying OS. A missed patch or update could expose the OS, hypervisor and VMs to attack. By comparison, Type 1 hypervisors form the only interface between the server hardware and the VMs. Bare-metal hypervisors tend to be much smaller than full-blown operating systems, which means you can efficiently code them and face a smaller security risk.
Type 2 hypervisors also require a means to share folders, clipboards and other user information between the host and guest OSes. Sharing data increases the risk of hacking and spreading malicious code, so VMs demand a certain level of trust from Type 2 hypervisors. In contrast, Type 1 hypervisors simply provide an abstraction layer between the hardware and VMs. The absence of an underlying OS, or the need to share user data between guest and host OS versions, increases native VM security. Type 1 hypervisors impose strict isolation between VMs, and are better suited to production environments where VMs might be subjected to attack.
Hosted hypervisors also tend to inefficiently allocate computing resources, but one principal purpose of an OS is resource management. Because Type 2 hypervisors run on top of OSes, the underlying OS can impair the hypervisor's ability to abstract, allocate and optimize VM resources. Bare-metal hypervisors, on the other hand, control hardware resources directly and prevent any VM from monopolizing the system's resources. Though not as much of a security concern as malware or hacking, proper resource management benefits the server's stability and performance by preventing the system from crashing, which may be considered an attack.
Dig Deeper on Virtualization security and patch management
Related Q&A from Stephen J. Bigelow
Full virtualization and paravirtualization both enable hardware resource abstraction, but the two technologies differ when it comes to isolation ... Continue Reading
Organizations can cap their hyper-converged infrastructure costs when they deploy the Azure Stack HCI platform, but once they plug into the cloud, ... Continue Reading
You can implement ESXi on ARM -- or other RISC processors -- in micro and nano data centers. A nano data center is more specialized but also more ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.