GUIDE TO SECURITY FOR FULL VIRTUALIZATION TECHNOLOGIES
to be carefully protected against unauthorized access, modification, and replacement. Some organizations
need to have a small number of known-good images of guest OSs that differ, for example, based on the
application software that is installed.
As the use of server and desktop virtualization grows within an organization, the management of images
can become a significant challenge. Some virtualization products offer management solutions that can
examine stored images and update them as needed, such as applying patches and making security
configuration changes, but other products offer no way of applying updates other than loading each
image. For these products, the longer an image is stored without running it, the more vulnerabilities it is
likely to contain when it is loaded again. It may be necessary to track all images and ensure that each non-
archival image is periodically updated. Tracking images may also be a significant problem, particularly if
users and administrators are able to create their own images. These images may also not be secured
properly, especially if they are not based on a security baseline (e.g., the one provided by a different pre-
secured image). This could increase the risk of compromise.
Another potential problem with increasing the use of virtualization in particular is the proliferation of
images, also known as sprawl. It is easy to create a new image—it can often be done in just a few
minutes, albeit without any consideration of security—so unnecessary images may be created and run.
Each additional image running is another potential point of compromise for an attacker. Also, each
additional image is another image that has to have its security maintained. Therefore, organizations
should minimize the creation, storage, and use of unnecessary images. Organizations should consider
implementing formal image management processes that govern image creation, security, distribution,
storage, use, retirement, and destruction, particularly for server virtualization. Similar consideration
should be given to snapshot management. In some cases, organizations have policies to not allow storage
of snapshots because of the risk of malware from infected systems being stored in snapshots and later
reloaded.
Image management can provide significant security and operational benefits to an organization. For
example, if the contents of an image become compromised, corrupted, or otherwise damaged, the image
can quickly be replaced with a known good image. Also, snapshots can serve as backups, permitting the
rapid recovery of information added to the guest OS since the original image was deployed. One of the
drawbacks associated with this type of backup is that incremental or differential backups of the system
may not be feasible unless those backups are supported by the hypervisor. If a modification is made to the
guest OS after a snapshot has been captured, the original snapshot will not include the modification, and a
new snapshot will need to be applied. Because of this, snapshot management needs to be considered as
part of image management.
If an image has been compromised, its encapsulated nature means that it can easily be preserved for
forensic purposes. Also, a guest OS can be suspended quickly, which causes a snapshot to be recorded
that captures the entire state of a compromised guest OS, including the complete contents of RAM, then
stops the guest OS to prevent the compromise from spreading to other guest OSs or hosts. In traditional
environments, it is more difficult to capture the complete contents of RAM during or after an attack.
Often, multiple steps must be performed before the data can be captured, potentially leading to the loss of
important information.
Image files can be monitored to detect unauthorized changes to the image files; this can be done by
calculating cryptographic checksums for each file as it is stored, then recalculating these checksums
periodically and investigating the source of any discrepancies. Image files can also be scanned to detect
rootkits and other malware that, when running, conceal themselves from security software present within
the guest OS.