PCs

Keep your virtual machine off my network

A growing danger occuring on IT networks today is rogue virtual machines on desktop systems. Lack of knowledge on how to handle this new security issue could leave you scratching your head.
AIn a typical network environment, you can prevent rogue desktops or servers from being attached to your network by having policies in place. When it comes to virtual machines, it is very difficult to prevent their introduction to your network due to lack of knowledge or proper policies.

For example, your company might let users run one of the following desktop virtualization platforms:

  • Microsoft Virtual PC 2007
  • VMware Workstation
  • Virtual Box
  • Parallels

When users have this virtualization software installed on their desktops, they have the keys to the castle if no policy or security is in place. Let me explain. Each virtual machine you create has a virtual switch. Your virtual machines can be connected to your physical NIC by bridged networking or Network Address Translation (NAT).

When you have a virtual machine connected to the network with a bridged connection, your MAC address and IP are visible on your LAN. NAT translation allows you to connect a VM to your network via the physical NIC. This type of VM is hard to track, as it looks like it is coming from the physical computer using the same MAC address.

Machines that have this kind of access can do real harm on your network. For example, a marketing person loads a VM for a demo and loads a DHCP server. This could cause problems if the VM is handing out IP addresses. Another example would be a machine that is not patched and introduces a virus onto your network. A whole host of issues could occur.

So how can we lock it down?

  • Disable virtual network interfaces on desktop computers
  • Audit systems with third-party software or VM policies
  • Move  to managing virtual machines centrally instead of on each desktop computer

It is important to deal with this new threat before you are overwhelmed with a swarm of virtual machines on your network.

4 comments
Steven S. Warren
Steven S. Warren

Tell us how you are handling the wave of virtual machines on your network.

Merlin the Wiz
Merlin the Wiz

the same way I handle my real machines. All of the real machines I am responsible for have virtual machines and they have the same firewall, AV, spyware tools and use different dedicated ip addresses. Anything else is not allowed. Most of my users have a virtual machine for their job function and a separate virtual machine for internet access only. Very few of them need internet access for their job function. That way if they something happens, I just delete the virtual machine and re-create it. I have never had a problem on a real machine. One user has a need for four virtual machines due to his job. We, he and I have worked very closely to keep all five of his network appearances secure. It is actually easier to setup a virtual machine to give an individual position workgroup access than it is to attempt to control all of the group permissions. This is probably a hold over from the days of dedicated servers and dumb terminals for workstations rather than PCs for workstations. It is amazing how well a 3.2 GHz Pentium IV with 3 Gigabytes of ram runs the real machine and four 512 megabyte virtual machines.

The 'G-Man.'
The 'G-Man.'

I need OS 5 licences per machine instead of one! Do you have enough licences to cover all that?

Merlin the Wiz
Merlin the Wiz

Yes, we have five licenses for the virtual software, OS, firewall, and anti virus are on this one set of hardware. I never said we were Microsoft only, and I did not say we were Open Source only. We are a mix and even use Windows 98 on some positions. All of the real machines are still running Windows XP.Very little software ever gets discarded, and Depending on the OS And the licensing agreements, we always have more OS licenses than are required.

Editor's Picks