VMware security should be a priority for administrators -- especially in light of estimates that say most virtual machines (VMs) are less secure than their physical counterparts.
If you don’t follow VMware security best practices, your VMs could be part of that statistic. Traditional IT security measures aren’t enough, because unique VMware security risks require additional levels of protection over what you’d typically need in a physical IT infrastructure.
This resource guide covers some of the major VMware security risks facing admins today, then offers VMware security best practices to address those problems. The guide also includes links to additional VMware security resources.
TABLE OF CONTENTS
Requires Free Membership to View
When you register, my team of editors will also send you alerts covering all areas of VMware, such as implementing VMware-related virtualization technologies for server consolidation, disaster recovery and backup strategies, management and performance, VM migration and more.
Cathleen A. Gagne, Senior Editorial Director
VMware security risks | VMware security
best practicesMore VMware security resources
Stealing a virtual machine in three easy steps
One of the best ways to understand VMware security risks is to exploit them yourself. Stealing a
physical server out of a data center is very difficult, and it’s sure to get you noticed. But you
can steal
a VM from anywhere on your network. VMware security expert Eric Siebert walks you through the
steps and points out the vulnerabilities along the way.
Virtual security: New attack vectors, new ballgame
Virtualization introduces new attack vectors that hackers can use to access your infrastructure.
The most prominent attack vector -- and the one that deserves most of your virtual
security attention -- is the host management console, because it provides access to every VM on
the host. Other attack vectors include VMware Tools, which lets the guest operating system
communicate with the hypervisor. Malicious applications can exploit its log files and fill up the
host’s entire data store.
VMWARE SECURITY BEST PRACTICES
Preventing VMware virtual machine errors and security breaches
VMware Tools isn’t the only VMware security risk facing administrators. Drivers -- both normal and
paravirtualized -- also contain vulnerabilities. Securing your operating systems on the VMware ESX
or ESXi hypervisor isn’t enough. To prevent VMware
virtual machine errors and security breaches, admins also need to consider the layer where the
VM and the hypervisor interact.
Preventing VMware network security breaches
Networking problems can undo all the good you’ve tried to do by placing a VMware host into a
demilitarized zone (DMZ). VMware
network security breaches can occur through the vMotion and Storage vMotion network, the VM
network and the storage network. If not properly managed, these networks can bypass the security
measures designed to prevent external communication to within the DMZ.
Enabling Secure Shell in ESXi
Secure Shell (SSH) is a secure network communication protocol that can improve VMware security. To
enable
SSH in vSphere's version of the ESXi hypervisor, all it takes are four easy steps.
MORE VMWARE SECURITY RESOURCES
VShield: Breaking down the VMware security suite
VMware’s VShield
line of security products are designed to provide built-in protection for ESX and ESXi
environments. VShield Zones was the first product in this suite, and since its debut the company
has added vShield Manager, vShield App, vShield Edge and vShield Endpoint.
VMware security Technical Resource Center
The VMware security Technical Resource
Center is where the vendor offers information about its security products, certifications and
partners. The site also provides advisories and VMware security best practices.
VMware Communities: Security and compliance
The VMware
Communities site for security and compliance is a forum where users can discuss VMware security
issues and seek solutions to their problems. Forum members can also share VMware security documents
and learn about the company’s security APIs.
This was first published in February 2010