VMware security should be a priority for administrators -- especially in light of estimates that say most virtual machines (VMs) are less secure than their physical counterparts.
If you don’t follow VMware security best practices, your VMs could be part of that statistic. Traditional IT security measures aren’t enough, because unique VMware security risks require additional levels of protection over what you’d typically need in a physical IT infrastructure.
This resource guide covers some of the major VMware security risks facing admins today, then offers VMware security best practices to address those problems. The guide also includes links to additional VMware security resources.
Stealing a virtual machine in three easy steps
One of the best ways to understand VMware security risks is to exploit them yourself. Stealing a physical server out of a data center is very difficult, and it’s sure to get you noticed. But you can steal a VM from anywhere on your network. VMware security expert Eric Siebert walks you through the steps and points out the vulnerabilities along the way.
Virtual security: New attack vectors, new ballgame
Virtualization introduces new attack vectors that hackers can use to access your infrastructure. The most prominent attack vector -- and the one that deserves most of your virtual security attention -- is the host management console, because it provides access to every VM on the host. Other attack vectors include VMware Tools, which lets the guest operating system communicate with the hypervisor. Malicious applications can exploit its log files and fill up the host’s entire data store.
Preventing VMware virtual machine errors and security breaches
VMware Tools isn’t the only VMware security risk facing administrators. Drivers -- both normal and paravirtualized -- also contain vulnerabilities. Securing your operating systems on the VMware ESX or ESXi hypervisor isn’t enough. To prevent VMware virtual machine errors and security breaches, admins also need to consider the layer where the VM and the hypervisor interact.
Preventing VMware network security breaches
Networking problems can undo all the good you’ve tried to do by placing a VMware host into a demilitarized zone (DMZ). VMware network security breaches can occur through the vMotion and Storage vMotion network, the VM network and the storage network. If not properly managed, these networks can bypass the security measures designed to prevent external communication to within the DMZ.
Enabling Secure Shell in ESXi
Secure Shell (SSH) is a secure network communication protocol that can improve VMware security. To enable SSH in vSphere's version of the ESXi hypervisor, all it takes are four easy steps.
VShield: Breaking down the VMware security suite
VMware’s VShield line of security products are designed to provide built-in protection for ESX and ESXi environments. VShield Zones was the first product in this suite, and since its debut the company has added vShield Manager, vShield App, vShield Edge and vShield Endpoint.
VMware security Technical Resource Center
The VMware security Technical Resource Center is where the vendor offers information about its security products, certifications and partners. The site also provides advisories and VMware security best practices.
VMware Communities: Security and compliance
The VMware Communities site for security and compliance is a forum where users can discuss VMware security issues and seek solutions to their problems. Forum members can also share VMware security documents and learn about the company’s security APIs.