Problem solve Get help with specific problems with your technologies, process and projects.

What are the security risks associated with virtual PCs?

Since Virtual PCs enable you to run multiple operating systems simultaneously on a single piece of hardware, they can introduce risks into your networking environment. In this information security threats Q&A, Ed Skoudis examines what these risks are, and what you can do to mitigate them.

What are the security risks associated with virtual PCs (Workstations)?
Virtual machines are very popular today, as they allow you to run multiple operating systems simultaneously on a single piece of hardware. Using tools like VMware, you can run several Windows machines on top of Linux, or run Linux on top of Windows. With Virtual PC (Microsoft's product), you can run Linux or Windows on Windows. And, with Parallels, you can run Windows or Linux along side of Mac OS X. It's like dogs sleeping with cats… pure pandemonium.

So, what security risks does this introduce? The biggest risk is trusting the virtual machines too much and believing they are completely isolated from each other (they are not). Virtual machines share an infrastructure, including network connections, parts of the hard drive, some memory and so forth. Also, don't believe a virtual machine is a firewall. Firewalls are firewalls. Our company is currently researching the potential risks of virtual machines. Our biggest concern is that a bad guy may learn how to escape a virtual machine, jumping from one guest into another guest or into the underlying host operating system. This would be bad, and would dispel many security assumptions. However, there are currently no publicly available virtual machine escape tools that let attackers jump from guest to host.

But because of this possibility, you should carefully harden and use security tools (antivirus, antispyware, and personal firewalls) on all of your systems, both real and virtual. Maintain their security and don't implicitly trust the isolation of your virtual environment. While it is possible that we'll never see a public virtual machine escape program, creating such a thing is non-trivial (believe me, I know!). However, because of the risk, don't let your guard down. Carefully protect your virtual machines just as you do your real ones.

This was last published in August 2006

Dig Deeper on Emerging cyberattacks and threats