Kai Axford put together a great article on security myths in a virtual world. It's come to Kai's and my attention that some admins who are new, and not so new to virtualization, thinks that there might be some magic security sauce to virtualization. Like most such beliefs (such as the belief that "hardware" firewalls are more secure than "non-hardware" firewalls), these are not true.
Kai points out three common myths about security in a virtual world:
Myth #1: "I only have to patch my host OS / Kernel."
While you do need to keep the host OS secure so that taking down the host OS doesn't take down all the guests running on that host, the fact is that the guests also have to be secured, just as they would be if they were running in a non-virtualized environment. There's nothing inherent in a virtualized environment that would making updating guests any less important than if they weren't virtualized
Myth #2: "If I just protect my host machine, it will protect my VMs."
This is a corollary of myth #1. Yes, the host machine must be secured, but the guests also need to be able to defend themselves. Apply the same security requirements to your virtual machines are you would to your physical machines. Examine all points of inbound and outbound access to and from those virtual machines and make sure you have accounted for them and secured them
Myth #3: "Virtual hard disk files are secure by default."
Not sure where this one came from. It would be like saying "all physical computers are secure by default". If ten people sent their workstations for you to work on in your lab, would you connect them to your network because you had a belief that they were secure by default? Of course not. The same is true for virtual machines. Don't trust them and don't connect them to your network if you know that they've fallen out of your hands at any time.
Check out Kai's excellent article for full coverage on this subject at:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
MVP - Forefront Edge Security (ISA/TMG/IAG)