Securely configuring virtual machines

Securely configuring virtual machines

  • Comments 4

When it comes to configuring virtual machines in a secure fashion - the most important thing to keep in mind is that you need to treat virtual machines just like they are separate physical machines.  This includes dealing with the following issues:

  1. Network firewalls

    Virtual machines are not protected by any firewall software on the host operating system.  The reason for this is that the virtual machines are essentially connected to the network at layer 2 while most conventional firewalls operate at layer 3 or higher (
    http://en.wikipedia.org/wiki/OSI_model).  As such virtual machines should always have appropriate fire walling software enabled.  If your guest operating system does not have firewall software readily handy (or you do not want to install a software firewall in the guest operating system) using Shared Networking under Virtual PC (as opposed to connecting the virtual machine directly to the network) will gain you a modicum of network security as - like with most NAT routing solutions - external network entities will be unable to communicate directly with your virtual machine.

  2. Antivirus software

    Once again any antivirus software that is installed on the host operating system does nothing to protect the virtual machines.  You should install separate antivirus software inside of each of your virtual machines and treat them like separate physical computers.

  3. Security patching

    This is the most difficult of all the issues.  It is important to keep virtual machines up to date with the latest security patches just like you would with a physical computer.  The challenge with this is that virtual machines are regularly powered off for indefinite periods of time.  This is further complicated by the fact that it is possible to launch a virtual machine, apply a security patch and then accidentally undo the patch by discarding your undo disks.  Unfortunately there is no easy solution for this one - and you just need to be vigilant about keeping your virtual machines up to date.

One alternative to keep in mind is that if you are using your virtual machines for test / development and can manage to keep them completely isolated from the network most of the above advice can be skipped with fair safety (though you should still remain cautious).

Cheers,
Ben

Leave a Comment
  • Please add 8 and 3 and type the answer here:
  • Post
  • Hi,

    About patching, would it be possible to include in the start up machine action a script in order to check for the latest patches?
    Sure you have a script :)
  • The patch-management aspect of Virtual PC is really discouraging for us. Within our IT group, we use it fairly extensively for testing and validation. But we haven’t been able to come up with a sustainable deployment strategy. Our development group has been introduced to Virtual PC and are piloting it right now. But we’re running into virtual machines that rarely get fired up, and when they do, they’re weeks, or months out of date. Sometimes they’ve had a state-saved, and we get an IP-address conflict. Other times, users have switched from Ethernet to the WLAN, further confusing things. Furthermore, they’re typically power-on long enough to get updated via SUS.

    We’re looking at scripted-management… with a shared “live” machine managed by IT, and updated as necessary. Login scripts offer image “refreshes”, and log-out scripts delete existing images. However, doing all of this with an 8GB image can be unwieldy, and leads to frustration, complaints, and ultimately IT-perception issues. And perception issues make it much harder to get organization buy-off and participation on future projects.
  • Looks like your security failed. The Worms have been joined by Worms II.
  • if I install firewall software (symanec client firewall with symantec ce av)in the xp mode machine, I cannot send emails from the host via outlook.  as soon as I uninstall the firewall software on the client, it works fine on the host.   why the conflict??

Page 1 of 1 (4 items)