Blog Posts

Lets walk through the differences between an Virtual Machine(VM) and a Physical Machine(PM). For this discussion, lets assume that we are using VMWare ESX 3.01 running on an Intel box. Lets use Windows Server 2003 as the guest system.

What are the apparent differences? Lets only focus on the actual differences in a VM and PM, and not the inherent security flaws in the guest OS.

The only apparent difference that I can think of is that the VM isn't easily accessible to a console user. In order to gain console access to the VM, the attacker would need to use either a VM Console Tool, or some type of remote access software such as DameWare or Terminal Services. I would have to say that is a check on VM side of the column. The physical attack surface of the machine has been drastically reduced. Now it could be argued, that you could mess with the VMs settings via the COS at the console and that is true. However you wouldn't be able to execute applications inside the VM from the COS in any way that I am aware of.

What type of security guidelines need to be in place for a VM? I believe that you need to follow your security policy exactly as you would for a PM on a guest OS.

1.) Always use antivirus inside the Guest OS. On the same token some other applications are emerging on the market that are specifically designed for VM Security, and protection from VMWare "escapes". Check out Catbird technologies, they have a thin IPS for Virtual Machines and ESX.

2.) Limit the VLANS that the guest VM needs access to.

3.) On the same coin, limit the Storage Networks and LUNS that are visible to the VM.

4.) Limit the resources assigned to the VM to prevent a DOS or any other resource shortage. This can affect other VMS running on the same host.

There are several others, based on guest OS, and version of VMWare you are running.

Virtualization – It is more than just server consolidation

Remember those old commercials where people came into work on Monday morning and thought that all of the servers had been stolen? That is the same path that most of us took when we first starting implementing virtualization. We were looking for a way to take the applications that were running on legacy servers and move them painlessly to another platform. We needed to find a away to take all of those applications that didn’t play well together and run them on the same box. We needed to eliminate all of those extra hardware costs. Virtualization was a great fit for that particular need.

Now that virtualization software has matured, it offers us features and abilities that we hadn’t even dreamed of. Virtualization can be used to provide for high availability, on demand resource additions, disaster recovery, and even rapid application development and deployment. There are also virtualization products that allow you to deploy a standard image across every desktop machine in the enterprise virtually eliminating the pains of upgrades and desktop replacement.

Lets walk through a scenario. You are an ecommerce director. You are running a successful online widget business. As the holidays approach you are expecting your business to do some major advertising that will create several flash traffic spikes. There is nothing worse than a web based storefront that is slow and unresponsive. You are in a very comma dilemma. Do you build out your infrastructure to handle these peak moments, or your normal traffic load at a quarter of the cost. With virtualization technologies you have the ability to dynamically add resources to your environment at a fraction of the cost of purchasing all of the hardware you normally would in order to accommodate this flash load. Through just a click of a mouse, you can spin up multiple virtual web and application servers.

What about disaster recovery? Virtualization software now has the ability to do intelligent VM HA, and Dynamic Resource Allocation. What does this mean? Lets say you have three physical servers running virtualization software. This software has the ability to be clustered together, to create a “pool” of resources if you will. If you’re mission critical software application is running in a VM on a host in the cluster, and that host happens to suffer a hardware failure, the virtualized cluster is intelligent enough to restart that mission critical application VM on another box in seconds. What used to require a phone call or a trip up to the datacenter is now handled by the software itself in seconds rather than hours. You don’t have to reinstall the operating system. You don’t have to reinstall the application. You don’t have to restore the data from tape.

All in all, virtualization has come a long way from its humble beginnings. Many of the concerns that we had over single points of failure taking down multiple machines has been erased. If you are remotely interested in virtualization, check out the following URLs.

http://www.vmware.com/
http://www.microsoft.com/virtualserver