Mitigating Virtual Machine Security Vulnerabilities

San Francisco (4/8/2008)--The "Mitigating Virtual Machine Security Vulnerabilities" panel with newcomer Fortisphere, old-timer Configuresoft and nonprofit security adviser the Center for Internet Security was so popular that RSA officials had to turn away hundreds of attendees. I'll summarize the most important things that system and network managers should consider when

San Francisco (4/8/2008)--The "Mitigating Virtual Machine Security Vulnerabilities" panel with newcomer Fortisphere, old-timer Configuresoft and nonprofit security adviser the Center for Internet Security was so popular that RSA officials had to turn away hundreds of attendees.

I'll summarize the most important things that system and network managers should consider when securing virtual machines, but first let me say that Fortisphere is one of the most interesting companies at RSA. I had a chance to sit down with Fortisphere's Chris Farrow yesterday in a private briefing. In a nutshell, Fortisphere tags VMware virtual machines with a kernel-level driver so that the machine and any children that are cloned or snapshotted from the VM can be tracked as it moves around the virtual environment.

OK, so here's what came up at the panel.

  • Watch guest-to-guest communication. Can your IDS or firewall products secure against guest communication on the same host? Most likely not, and this is something to watch for as products develop over the rest of the year.
  • Turn off file sharing between guests and hosts.
  • When factoring in how many guests run on a host (they were only talking about server virtualization on the x86 platform), consider that each VM will have patch management, inventory, anti-virus and other performance monitoring tools also running on the instance. Before telling your boss that you can get five VMs on one physical host, ensure that you measure the performance impact of these management tools.
  • Microsoft and other OS and application makers don't have "temporary" licenses for products. Keep this in mind when considering how to provision VMs in a test/dev environment where the server will likely live for a relatively short period of time. The panelists had seen some sloppiness in license management at some sites using VMs.

Keep in mind that VMware just got onto Fortisphere's board, so if you talk to them and you hear nothing but love and goodness for what VMware is doing, like I heard at the panel today, keep that tie in mind.