NIST publishes a draft Guide to Security for Full Virtualization Technologies

The Computer Security Division of the US National Institute of Standards and Technologies (NIST) published last week the first draft of a new paper titled Guide to Security for Full Virtualization Technologies.

By “full virtualization” the authors mean what the Industry calls “hardware virtualization”: a virtualization platform based on a type-1 (bare-metal, or hypervisor) or a type-2 (hosted) virtual machine monitor (VMM) that hosts virtual machines (VMs).
The document also refers to “server virtualization” meaning “hardware virtualization for server consolidation” and to “desktop virtualization” meaning “hardware virtualization executed on a consumer desktop” and not “hardware virtualization for client consolidation”.

The 35-pages paper has three sections: the first one introduces the concept of full virtualization and its implementations. the second one presents the security recommendations for virtualization components, and the third one introduces to the discipline of secure virtualization planning and deployment.

The security recommendations are divided in specific sections: one for the hypervisor, one for the guest operating system, one for the virtual infrastructure and one for the hosted desktop virtualization platforms.

The recommendations are pretty generic. The ones about the hypervisors for example are:

  • Install all updates to the hypervisor as they are released by the vendor. Most hypervisors have features that will check for updates automatically and install the updates when found. Centralized patch management solutions can also be used to administer updates.
  • Disconnect unused physical hardware from the host system. For example, a removable disk drive might be occasionally used for backups, but it should be disconnected when not actively being used for backup or restores. Disconnect unused NICs from any network.
  • Disable all hypervisor services such as clipboard- or file-sharing between the guest OS and the host OS unless they are needed. Each of these services can provide a possible attack vector. File sharing can also be an attack vector on systems where more than one guest OS share the same folder with the host OS.
  • Consider using introspection capabilities to monitor the security of each guest OS. If a guest OS is compromised, its security controls may be disabled or reconfigured so as to suppress any signs of compromise. Having security services in the hypervisor permits security monitoring even when the guest OS is compromised.
  • Consider using introspection capabilities to monitor the security of activity occurring between guest OSs. This is particularly important for communications that in a non-virtualized environment were carried over networks and monitored by network security controls (such as network firewalls, security appliances, and network IDPS sensors).
  • Carefully monitor the hypervisor itself for signs of compromise. This includes using self-integrity monitoring capabilities that hypervisors may provide, as well as monitoring and analyzing hypervisor logs on an ongoing basis.

Nonetheless this guide can be used as good starting point to secure virtual infrastructures and should be paired with specific hardening guides released by the virtualization vendors, like the new VMware vSphere 4.0 Security Hardening Guide.