VMware Workstation security best practices are especially important because, as a type-two hypervisor, Workstation is not as secure as bare-metal platforms. Regular patching and shutting down unnecessary virtual machines
Lately, I’ve watched movies that feature medieval castles, fortified walls, gallant knights and, of course, damsels in distress. In most of these movies, invaders had to breach castles walls -- either by siege or subterfuge -- to achieve their objective.
When watching these attempts to penetrate the fortress, I realized how many similarities there are between protecting the contents of the castle and securing virtual machines (VMs) in VMware Workstation. The following VMware Workstation security best practices will help keep your virtual castle safe.
Evaluating your sensitive VMs
In the movies, there was a reason to get inside the fortress -- either for treasure, power or the love of a beautiful maiden who is about to marry the wrong guy.
Why would attackers want to get into your virtual infrastructure? If they did, how bad would it be? By determining where your most valuable targets are, you can work to mitigate the damage caused by unauthorized user access. For example, if an outsider accessed a simple test appliance, what would your level of concern be, compared to a file server becoming compromised? By analyzing your risks and vulnerabilities, you can keep your valuables safe.
Granted, Workstation is not designed for production environments, and you shouldn’t use it for those purposes. But you can view Workstation as a microcosm of your production environment. If Workstation is not secure, perhaps it is time to make sure your production environment is not susceptible to the same weaknesses.
A fortified wall isn't much good if it hasn't been maintained. Why climb to the top when you can crawl through a hole? The same holds true for your hypervisor and host operating system. Regular patching is one of the VMware Workstation security best practices that will help keep the barbarians out.
There are several ways to patch the host OS: you or a support group can perform the process manually, or it may be automatically configured. As far as how to patch VMware Workstation, I recommend enabling automatic updates.
To activate this functionality, select Edit > Preferences > Update from the VMware Workstation menu bar. Then, verify that Software updates is selected. Depending on your environment, you may or may not want to select Automatically update VMware Tools on a virtual machine. Enabling automatic updates ensures that you receive the latest version of the hypervisor and any accompanying security patches. But new hypervisor releases can break functionality in your virtual infrastructure. It may not be wise to install Workstation updates without proper testing. That said, keeping the tools up to date is preferred, if your policies allow it.
In the movies, there is usually an informant who tips off the people in the castle that invaders are on the way. Fortunately, VMware sends notifications when security issues arise and suggests how we can defend ourselves. Sign up for VMware’s notification list to keep up to date on security advisories. It certainly does not have the romance of a notice stuck to a tree with an arrow, but it is helpful nonetheless.
Can the invaders find your castle on the map? Is there an easy-to-travel road, or will the barbarians have to work hard to find their destination?
How you configure networking for Workstation VMs will affect how easily an invader can access your network. You can restrict the guest VM so it sees only the host, other VMs or other physical machines on your network. It’s even possible to allow a VM to access the Internet.
Obviously, tightening the networking and firewall controls (including the blocking of specific TCP/UDP ports) will increase security. But these restrictions will limit your access to resources on the network. A physical server that is locked away in a vault with no network connectivity, for example, is extremely secure but of limited use.
Another of the top VMware Workstation best practices is to initially limit a VM’s access to only what is absolutely needed. Then you can gradually open up access on an as-needed basis. As a system admin, you must determine the correct balance of access and security for your infrastructure.
Disconnect and shut down VMs
In the movies, the kingdom's treasure is never just inside the castle gate with a “help thyself” sign. Finding it takes a colossal effort, usually involving personal sacrifice. You need to make your critical VMs just as tough to find and access.
If you aren’t using a VM, you may want to disconnect it or shut it down -- in essence, eliminating the target. Of course, this option may not be practical for mission-critical systems. But for test or development VMs, these tactics not only improve security but also make resources available for other VMs.
This was first published in September 2011