While guest domains are not part of the execution environment, they are the most likely target for an attack because they are connected to the network. An attacker who breaches a virtualized system can launch attacks on the execution environment.
The operating system on the guest domain is often the first line of defense against any attack. With the exception of attacks that originate within the datacenter, an attacker must break into a guest domain that has external connections before attempting to break guest domain isolation and capture the complete environment. Therefore, you must harden the guest domain's OS.
To further harden the OS, you can deploy your application in Solaris Zones, which place an additional layer of isolation between the application's network service and the operating system of the guest domain. A successful attack on the service compromises only the zone and not the underlying operating system, which prevents the attacker from expanding control beyond the resources that are allocated to the zone. As a result, eventually breaking guest isolation is more difficult. For more information about securing the guest OS, see Oracle Solaris 10 Security Guidelines and Oracle Solaris 11 Security Guidelines .