How Red Hat and KVM Ease Virtualization Technology Transition

Posted by Mark Teter, Chief Technology Officer
July 27, 2011

Virtualization technology has swept the IT industry. Businesses everywhere are latching onto virtualization technology as a way to increase the utilization of their IT investments, reduce costs, and increase IT management efficiency.

Despite these benefits, the thought of switching to a virtualized technology infrastructure gives pause to even some the most educated CIOs. Technology confusion and vendor choices aside, the dread of physical-to-virtual transitions stems from concerns over security, performance, and scalability. These three issues have emerged as the main challenges organizations face when making the transition from a totally physical IT infrastructure to one that is increasingly virtualized.

Fortunately, one vendor in particular has made gains in addressing these fears. With its Kernel-based Virtual Machine (KVM) hypervisor, Red Hat Enterprise Linux 6 has made significant progress in all three of these key areas, making it a capable contender in the enterprise virtualization marketplace.

This blog will focus on the security concerns, and our next blog will tackle the performance and scalability fears with the physical-to-virtual transition.

Security

Anyone who runs a computing environment, whether physical or virtual, is concerned about network and data security. So let’s set the record straight regarding virtual servers and security; virtual machines (VMs) are neither more nor less secure than physical machines. Virtual servers require all the same network and data security precautions, patches, and due diligence you’d apply to physical servers.

Now that we’ve got that out of the way, let’s discuss how Red Hat has enhanced the network and data security on its virtualization technology solution. Red Hat Enterprise Linux 6 (RHEL 6) introduces a number of new identity and authentication features, such as the new System Security Services Daemon, which provides centralized access to identity and authentication resources. Additionally, all RHEL 6 packages now include a 4096-bit RSA hardware signing key.

Other new network and data security technologies in RHEL 6 include the sVirt API to secure virtualization. In RHEL 6, Red Hat integrated sVirt with Security-Enhanced Linux (SELinux) as a way to provide additional security to virtual guests. In effect, this minimizes the number of interfaces between the virtual guest and the KVM host, exposing only a small potential area of attack that you can closely monitor and audit.

Should a virtualized guest manage to break the KVM containment, it would likely attempt to manipulate the image of another guest or access files or network ports. Since all those resources also are labeled within SELinux, RHEL 6 prohibits unauthorized access, as each guest has its own label identification.

Furthermore—with the Red Hat Enterprise Virtualization (RHEV) system management layer— the virtualized guest SELinux identifier can even be passed along with the virtual guest as part of a live migration, moving this protection with it.

Therefore, sVirt perfectly demonstrates the power of KVM integrated with Linux. Without KVM, Red Hat would have had to implement these network and data security features twice to achieve a similar level of protection, as other vendors have had to do with their virtualization technology solutions.

Come back in a few days and we’ll show you how Red Hat and KVM are addressing the performance and scalability concerns.

About Mark Teter Before he retired from ASG in 2013, Mark Teter was Chief Technology Officer (CTO) and the author of 'Paradigm Shift: Seven Keys of Highly successful Linux and Open Source Adoptions.' As CTO, Mark regularly advised IT organizations, vendors, and government agencies, and he frequently conducted seminars and training programs.

Filed Under: Virtualization

0 Responses to 'How Red Hat and KVM Ease Virtualization Technology Transition'

Leave a Comment

Please copy "59dhIHm6l1R7hP4AR03iHMxLQzIpmzNb" into the field labeled "Uncaptcha"