Is Hyper-V secure enough for the enterprise?

Microsoft Hyper-V's code is linked closely with the often-patched and often-attacked Windows operating system. And that's raised some serious questions about Hyper-V security.

Virtualisation market leader VMware Inc. has made major security improvements to its new vSphere 4, offering VMsafe application programming interfaces. As Microsoft ramps up its battle against VMware with Hyper-V R2, its own security features will come under additional scrutiny.

"The biggest issue with Hyper-V is it's still built on Windows," said Rick Scherer, a VMware evangelist who writes at VMwareTips.com. "I'm not saying that they haven't made improvements in leaps and bounds, but the thing is, they'll always be the first one to be attacked."

VMware vs. Hyper-V security features
The core functions of any hypervisor -- whether from Microsoft, VMware or Citrix Systems Inc. -- are roughly the same, Scherer said. The real difference is in the platforms on which they run.

"It really comes down to the actions of administrators making it as secure as they want it to be," Scherer said. "The issue is, [Microsoft is] always a huge step behind."

That could certainly change if VMware attracts more attention from intruders who are bent on causing disruptions, he acknowledged.

"Now that VMware is becoming more mainstream, who knows what's going to happen?" he added.

Chris Wolf, an analyst at Burton Group noted other problems with Hyper-V security.

"With Hyper-V, there's one security issue important to large enterprises: the ability to monitor virtual network traffic," Wolf said. That isn't addressed by Microsoft, he noted.

"Right now, Hyper-V does not have the capabilities to allow a third-party security application to do traffic monitoring and enforcement within the virtual network," he added. "It's still not changed in [Windows Server 2008] R2."

The problem is, with virtualisation, you can't rely solely on physical security measures, so you have to "monitor and protect your systems from virtual machines attacking other virtual machines," Wolf said. "If you are not monitoring virtual traffic, there's no way you can detect those types of attacks."

Burton Group has named only two hypervisors as being enterprise-ready so far: VMware Infrastructure 3 and higher, and Citrix XenServer 5.5 Enterprise with Essentials 5.5 Platinum Edition.

According to a February report by Burton Group, Hyper-V's shortcomings include a lack of priority restart capabilities for a virtual machine following a failover, a lack of live migration capabilities (which Microsoft will add in R2) and a lack of support for at least two virtual CPUs per guest operating system.

To Microsoft's credit, Hyper-V does get protection from the security features built into the Windows Server 2008 operating system, Wolf said. For example, granular role-based access controls enable administrators to restrict access for individual users.

Others said the perceived Hyper-V security issues are not fatal flaws.

The key to securing Hyper-V and other hypervisors is a good patching regimen, said Greg Shields, an independent virtualisation expert and partner at Concentrated Technology in Denver. He said Microsoft gets more than its fair share of criticism about security because its Windows OSes have been in use for years and are thus the most popular targets for hackers.

"A lot of people want to talk about Windows and all the patching it gets," Shields said. "There are a very similar number of vulnerabilities that appear in every operating system. VMware and XenSource require patching, too. With the assumption that you maintain an effective layer of updating, you will have just as easy a time as the next person using Hyper-V."

If users keep their Windows environments patched and properly maintained, Hyper-V will be fully protected and ready for business use, said Mike Schutz, the director of product management at Microsoft's Windows Server division.

"Our approach to virtual security is that certainly you have to start with a secure platform," Schutz said.

Hyper-V includes dedicated security components, but the tools built into Windows Server -- including BitLocker for drive encryption, Network Access Protection and IPsec -- also bolster security, Schutz added.

But because the tools used to secure physical hardware are also secure virtual environments, the task of securing virtual environments has been made easier, he said.

"There certainly are a lot of similarities, but the virtual environment does provide new opportunities and new threats," Schutz said.