Overcoming Virtual Server Security Risks

Ralph DeFrangesco

A server is a server, right? They are just made up of hardware and software. But virtual servers have different hardware and software and and bring different and very real security risks. Let's look at the risks so we can understand how virtual servers are different:


  1. Very often, security policies are tied to a physical IP address. Virtual servers are free from physical IP addressing.
  2. Virtual code is just software. As I write this, hackers are trying to break the code to get their hands on the virtual layer. It will happen soon.
  3. Traffic travels between virtual servers on internal switches that never even touch a firewall or Intrusion-Detection System.
  4. Because they are easy to set up, virtual servers can be added to infrastructure in a very short amount of time, often without the proper security.
  5. Virtual server tools allow administrators to move data between servers easily -- too easily. This could violate company security policies.


This does not tell the whole story. The Burton Group says that Hyper-V falls short on must-have features. Specifically, Hyper-V lacks the ability to restart VMs in a specific order. This could be a security problem if one server needs to be up before another. In addition, Hyper-V falls short supporting multiple CPUs on Windows Server 2003 and earlier versions of the OS. Finally, Microsoft's Virtual Machine Manager cannot run on a cluster of servers so it can't be made truly fault tolerant. Xen Server didn't do all that much better. The only VM to meet all of the 27 essential features was EMC's VMware.


In my opinion, Microsoft and Xen are just trying to get the basic VM to work properly. EMC is clearly the leader and surpasses them both. EMC has recently released VMSafe, a set of security APIs that addresses security, is included in VMCenter, and can be extended across the VM line. VMSafe runs at the Hypervisor layer and provides monitoring of VMs, enforces policies, and acts as a malicious activity scanner. What VM is your organization using?

Add Comment      Leave a comment on this blog post
Sep 9, 2009 5:18 AM Michael Argast Michael Argast  says:

Virtual servers, managed properly can actually be a security boon. Your ability to roll back to previous snapshots for resolution, the ability to build improved security baselines for new deployments, etc, can have an overall positive impact on your security posture. That being said, Ralph does have a number of good points he's raised.

We (Sophos) did a survey where we asked IT managers about knowledge of people using virtual desktops within their environment to bypass security - this is becoming increasingly common. People will run VMs to play games, etc, all without being watched by IT - and these VMs, improperly managed can result in significant security breaches.


Sep 17, 2009 9:44 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Michael Argast

I was recently sent an Email from Citrix stating that Xen does indeed meet all of the 27 essential requirements as stated in the Burton Report.


I apologize for the mistake in the post.


Feb 25, 2014 12:33 PM server management server management  says:
There are a lot of risk involve when it comes to acquiring virtual servers, that's why it's very important to be prepared to handle such risks and have a solid back up plan which you can use and rely when something unexpected happens. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.