All virtualization platforms are not the same. As you move to adopt virtual infrastructure solutions to reduce costs and improve IT operations, make sure you understand the security implications of virtualization technology and the platform you choose. VMware offers the most robust and secure virtualization platform available. Let us help you:
- Separate fact from fiction when it comes to virtualization and IT security
- Understand the most significant ways in which virtualization affects security
- Find resources as well as the latest news on virtualization security
Hosted vs. Bare-Metal Virtualization
There are two common approaches to virtualization: "hosted" and "bare-metal". Hosted virtualization software runs as an application or "guest" on top of a general-purpose operating system. Bare-metal virtualization interfaces directly with computer hardware, without the need for a host operating system. Below you can see the common security issues and the implications of choosing a hosted versus bare-metal virtualization platform.
| Issue | Hosted | Bare-Metal |
|---|---|---|
| Vulnerability of the underlying operating system | Hosted virtualization products run on general-purpose operating systems and are susceptible to all the vulnerabilities and attacks that are prevalent on such systems. | VMware bare-metal virtualization is built around the “VMkernel”, a special-purpose microkernel that has a much smaller attack surface than a general-purpose operating system. |
| Sharing of files and data between the guest and the host | Most hosted virtualization products provide methods to share user information from the guest to the host (shared folders, clipboards, etc). Although convenient, these are vulnerable to data leakage and malicious code intrusion. | Since ESX is designed specifically for virtualization, there is no mechanism or need to share user information between virtual machines and their host. |
| Resource allocation | Hosted virtualization products run as applications in the process space of the host OS. They are at the mercy of the host OS and other applications. | VMware bare-metal virtualization allocates resource intelligently while isolating virtual machines from underlying hardware components. No single virtual machine can use all the resources or crash the system. |
| Target Usage | Hosted virtualization is targeted for environments where the guest virtual machines can be trusted. This includes software development, testing, demonstration, and trouble-shooting. | ESX is meant to be used in production environments in which the guest virtual machines can potentially be exposed to malicious users and network traffic. Strong isolation and strict separation of management greatly reduce any risk of harmful activity going beyond the boundaries of the virtual machine. |
Thin Virtualization: Get Strong Security in a Small Package
"Thin" virtualization, found in software such as VMware ESXi 3.5, is the next step in virtualization, dramatically strengthening security and manageability.
- Reduced size makes the attack surface much smaller, and reduces the potential for vulnerabilities
- Independence from a parent partition or console based on a general-purpose OS means far fewer interfaces to exploit and less malware threats, especially important given the path of device drivers from the VM to the physical hardware
- Unstructured, console-based interaction for administration is replaced by authenticated and audited interfaces such as the VI Client and the Remote CLI
