Overview

We know that over 50% of IT organizations currently use or are doing pilot programs using Virtualization, thanks to Forrester Research’s recent surveys, what we should know know more about is both the security benefits of virtualization and the best practices of how to secure those virtual servers.

Note: In this article a Virtualization Server (VS) is the machine that Virtual Machines (VM) are virtualized on. A VM can be anything that runs in a virtual container, desktop, server, appliances etc.

Security Benefits of Virtualization

The security benefits of running VSes are many, including:

  • Isolation – Running an OS in a VM helps secure it from other apps, you can have each application in it’s own OS container, keeps bad things that happen to the individual VM from spreading to others
  • Rollback – Experienced sysadmins know how important it is to be able to rollback changes that don’t work, getting the system to a previous stable state is paramount for production machines, and VM’s are much easier to rollback, being software only
  • Abstraction – The VM’s have limited access to the physical hardware, the drivers are easier to manage and there is less chance of physical issues with the VM’s than with an OS that runs directly on the hardware
  • Portability – The ease of which you can take the running VM and either migrate it to a new VS or get that VM up and running on another server can make the difference for disaster recovery. With the ability to virtualize the OS and data, it’s much easier to swap out to replacement machines, making patch testing and upgrading much easier too
  • Deployment – Deploying instances of individual servers is 10x easier with VM technologies, physical machine deployments are much more dependent on the physical hardware. Individual machine and OS security settings on the VS are important and the ability to surround the VM’s with appropriate security from the VS is also important (such as using AppArmor to wrap a VM, allowing only a set number of functions) to the security of each VM instance

Security Drawbacks of Virtualization

The chief security drawback of Virtualization is anything that could affect the functioning of the VS, which include any applications, services or activities that might negatively affect the VS’s ability to provide services to and properly host it’s VMs. You would not believe the things we have seen running on VS hardware, everything from BitTorrent to MP3 Shoutcast Radio Stations to very intensive file and print sharing.

It’s important to pare down the VS’s processes to the bare minimum, remove or disable all daemons that might be running, using chkconfig or the YaST Runlevel Editor. The typical VS might have up to 100 running daemons in runlevels 3 and 5, most of which are not necessary. Running the VS in runlevel 3 (no X started by default) will save a number of MB or RAM used, and decrease the load on the CPU for graphical tasks.

Wrapup

SearchServerVirtualization has a set of articles (some of which “inspired” this article) by Anil Desai which are excellent and right to the point in helping you secure your VS’s and VM’s. In particular, his tip articles “Virtualization Security Benefits” and “Improving VM Security” are both good overviews and contain valuable drill-down explanations to help you secure your VS/VM environments.

Enjoy,

RossB

Advertisements