If you are new to VMware Fusion or you’re an old pro, there are a few security considerations you should be aware of with this hosted virtualization platform. Make sure you follow these VMware Fusion security measures to protect the virtual machines, the host and your own sanity.
VMware Fusion is a Type 2 hypervisor, which means it runs like an application atop the host operating system. These hypervisors don’t have direct access to the server hardware and must go through the OS, creating additional security vulnerabilities compared to bare-metal Type 1 hypervisors. Many different types of sharing between the guest and host OS are available on VMware Fusion, which provide further points of access for potential hackers.
VMware Fusion download options
When you purchase VMware Fusion, including the new VMware Fusion 4, you can decide between two separate downloads, one with McAfee’s Security Suite and one without. I highly recommend that you download the one without the suite.
Here’s why: First, the product can be difficult to manage and remove. Second, while it’s nice to have this VMware Fusion security option pre-bundled with the product, McAfee’s suite is only a limited-time activation, and repeatedly nags you to purchase it before it runs out.
Personally, I find security products such as Microsoft Security Essentials and ESET NOD32 easier to administer, control and remove.
Security settings in VMware Fusion 4
One new feature of VMware Fusion 4 is the ability to encrypt VMs, but it’s not a perfect system. The encryption method is the older 128-bit AES encryption, even though the more secure 256-bit AES has been available for some time. Plus, the VM files (or “package,” in Mac OS parlance) are only encrypted when the VM is powered off. But what if you want to suspend or pause the VM? In those cases, the VM and its resources are not encrypted.
When I first upgraded to VMware Fusion 4, I was also surprised by some of the options that are enabled by default.
For instance, Bluetooth is enabled in the guest OS and Bluetooth Sharing is enabled between the guest and the host. Since the host and guest can potentially “share” the Bluetooth connections with, say, a nearby hacker’s Bluetooth device, they can both be compromised easily. For the best VMware Fusion security, this default setting is something you should disable.
Since the release of VMware Fusion 4, the post 4.01 release includes another default setting that’s best to disable. By default, the Downloads and Movies folders on your Mac’s hard drive are now “Mirrored.” While convenient, mirroring these folders is just another means to provide cross-OS infection and increases the overall attack surface of the VMware Fusion 4 host and guest OSes.
Locking down USB devices, shared folders
Along with Bluetooth, VMware Fusion 4 includes the ability to share other devices and services, such as USB devices and folders. In and of itself, sharing of these devices isn’t a big security concern; it’s what’s on these USB devices and in these shared folders that is worrisome. What if, for example, the USB device was compromised, or a rogue command file was executed from a shared folder causing either the guest or host OS to be infected?
It’s also important to remember that shared folders are not always local folders, but could be shares on your company or home network. If the shared folders are on a network, your attack surface increases greatly. Be very careful before you decide to choose Everyone and Full Control as your shared folder settings. Be sure to lock down any shares that you enable in VMware Fusion between the host and guest, both at the file level and in the Fusion preferences.
As a VMware Fusion 4 user, these are some of the default settings you should reconsider in order to protect both the guest and host OSes.