Securely configuring virtual machines

  • Article

When it comes to configuring virtual machines in a secure fashion - the most important thing to keep in mind is that you need to treat virtual machines just like they are separate physical machines. This includes dealing with the following issues:

  1. Network firewalls

    Virtual machines are not protected by any firewall software on the host operating system. The reason for this is that the virtual machines are essentially connected to the network at layer 2 while most conventional firewalls operate at layer 3 or higher (https://en.wikipedia.org/wiki/OSI_model). As such virtual machines should always have appropriate fire walling software enabled. If your guest operating system does not have firewall software readily handy (or you do not want to install a software firewall in the guest operating system) using Shared Networking under Virtual PC (as opposed to connecting the virtual machine directly to the network) will gain you a modicum of network security as - like with most NAT routing solutions - external network entities will be unable to communicate directly with your virtual machine.

  2. Antivirus software

    Once again any antivirus software that is installed on the host operating system does nothing to protect the virtual machines. You should install separate antivirus software inside of each of your virtual machines and treat them like separate physical computers.

  3. Security patching

    This is the most difficult of all the issues. It is important to keep virtual machines up to date with the latest security patches just like you would with a physical computer. The challenge with this is that virtual machines are regularly powered off for indefinite periods of time. This is further complicated by the fact that it is possible to launch a virtual machine, apply a security patch and then accidentally undo the patch by discarding your undo disks. Unfortunately there is no easy solution for this one - and you just need to be vigilant about keeping your virtual machines up to date.

One alternative to keep in mind is that if you are using your virtual machines for test / development and can manage to keep them completely isolated from the network most of the above advice can be skipped with fair safety (though you should still remain cautious).

Cheers,
Ben