Q

What are the security risks associated with virtual PCs?

Since Virtual PCs enable you to run multiple operating systems simultaneously on a single piece of hardware, they can introduce risks into your networking environment. In this information security threats Q&A, Ed Skoudis examines what these risks are, and what you can do to mitigate them.

What are the security risks associated with virtual PCs (Workstations)?
Virtual machines are very popular today, as they allow you to run multiple operating systems simultaneously on a single piece of hardware. Using tools like VMware, you can run several Windows machines on top of Linux, or run Linux on top of Windows. With Virtual PC (Microsoft's product), you can run Linux or Windows on Windows. And, with Parallels, you can run Windows or Linux along side of Mac OS X. It's like dogs sleeping with cats… pure pandemonium.

So, what security risks does this introduce? The biggest risk is trusting the virtual machines too much and believing

they are completely isolated from each other (they are not). Virtual machines share an infrastructure, including network connections, parts of the hard drive, some memory and so forth. Also, don't believe a virtual machine is a firewall. Firewalls are firewalls. Our company is currently researching the potential risks of virtual machines. Our biggest concern is that a bad guy may learn how to escape a virtual machine, jumping from one guest into another guest or into the underlying host operating system. This would be bad, and would dispel many security assumptions. However, there are currently no publicly available virtual machine escape tools that let attackers jump from guest to host.

But because of this possibility, you should carefully harden and use security tools (antivirus, antispyware, and personal firewalls) on all of your systems, both real and virtual. Maintain their security and don't implicitly trust the isolation of your virtual environment. While it is possible that we'll never see a public virtual machine escape program, creating such a thing is non-trivial (believe me, I know!). However, because of the risk, don't let your guard down. Carefully protect your virtual machines just as you do your real ones.

This was first published in August 2006

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close