Guide to Security for Full Virtualization Technologies
Virtualization is the simulation of the software and/or hardware upon which other
software runs. This simulated environment is called a virtual machine (VM). There are
many forms of virtualization, distinguished primarily by computing architecture layer.
This publication focuses on the form of virtualization known as full virtualization. In
full virtualization, one or more OSs and the applications they contain are run on top
of virtual hardware. Each instance of an OS and its applications runs in a separate VM
called a guest operating system. The guest OSs on a host are managed by the hypervisor,
which controls the flow of instructions between the guest OSs and the physical
hardware, such as CPU, disk storage, memory and network interface cards. The hypervisor
can partition the system’s resources and isolate the guest OSs so that each has access
to only its own resources, as well as possible access to shared resources such as files
on the host OS. Also, each guest OS can be completely encapsulated, making it portable.
Some hypervisors run on top of another OS, which is known as the host operating
system.
The recent increase in the use of full virtualization products and services has been
driven by many benefits. One of the most common reasons for adopting full
virtualization is operational efficiency: organizations can use their existing hardware
(and new hardware purchases) more efficiently by putting more load on each computer. In
general, servers using full virtualization can use more of the computer’s processing
and memory resources than servers running a single OS instance and a single set of
services. A second common use of full virtualization is for desktop virtualization,
where a single PC is running more than one OS instance. Desktop virtualization can
provide support for applications that only run on a particular OS. It allows changes to
be made to an OS and subsequently revert to the original if needed, such as to
eliminate changes that negatively affect security. Desktop virtualization also supports
better control of OSs to ensure that they meet the organization’s security
requirements.
Full virtualization has some negative security implications. Virtualization adds
layers of technology, which can increase the security management burden by
necessitating additional security controls. Also, combining many systems onto a single
physical computer can cause a larger impact if a security compromise occurs. Further,
some virtualization systems make it easy to share information between the systems; this
convenience can turn out to be an attack vector if it is not carefully controlled. In
some cases, virtualized environments are quite dynamic, which makes creating and
maintaining the necessary security boundaries more complex.
This publication discusses the security concerns associated with full virtualization
technologies for server and desktop virtualization, and provides recommendations for
addressing these concerns.
The attached Zip file includes:
- Intro Page.doc
- Cover Sheet and Terms.doc
- Guide to Security for Full Virtualization Technologies.pdf