1.3 Understanding your Oracle VM Environment

To better understand your security needs, ask yourself the following questions:

  • Which resources am I protecting?

    The resources in an Oracle VM environment are the components previously listed: the Oracle VM Manager application and the Oracle Linux operating system it runs on, the Oracle VM Servers (domain 0 OS instances), and the guest virtual machines, including those that serve as templates. The last of these is the most straightforward to understand, and is similar to protecting the data and applications of non-virtual systems, but is more complicated in a virtualized environment because a compromised guest puts not only its own contents at risk, but also exposes its neighbors and the infrastructure they use to the same risks. The network and storage resources upon which they depend must not be forgotten, as they also represent resources that must be protected, and are potential points of attack. Each of these has unique protection requirements that should be understood.

  • From whom am I protecting the resources?

    The Oracle VM Server environment must be protected from physical intrusions, but most notably from network based attacks via any of the networks to which the systems are connected. If this is an Internet-facing environment, then resources must be protected from everyone on the Internet. If this is an intranet environment, it needs to be protected from unauthorized actions by employees or contractors. Since virtual machine environments are typically multi-user, multi-tenancy environments, the users should be protected from one another. Access to virtual machine assets, such as consoles, should only be provided to individuals responsible for operating them, just as with physical machines. System administrators should have access to only the resources needed to do their job, both to protect from errors or deliberate penetration on their parts, but also to protect against inadvertent compromise if their computers or login credentials are compromised. You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators.

  • What will happen if the protections on strategic resources fail?

    A failure in security protection can cause substantial damage, depending on which resource has been compromised. Understanding the security ramifications of each resource will help you protect it properly. A security failure with a guest virtual machine obviously compromises the data and applications residing in that guest, but also provides an intruder an attack vector that can be used to attack other guests and the Oracle VM Server, for example, by snooping their network traffic, mounting a denial of service attack, or spoofing their IP addresses. Compromising an Oracle VM Server would additionally permit an attacker to gain access to guests' virtual disks and consoles, or cause outages. A compromised Oracle VM Manager instance would permit an intruder to gain control of the server pool's resources, gain access to virtual disks and consoles, and attack all the servers and disks.

For all these reasons, the most secure environment will be based on the defense in depth principle, in which there are multiple layers of protection so that a failure in one area, such as a compromised password, does not place the entire environment at risk.