Securing a Virtual Machine

M

MrMike

Supreme [H]ardness
Joined
Nov 4, 2000
Messages
6,510
I need a way to secure a virtual machine to it's host. By this I mean once the guest is setup or initially copied to it's host machine, it can not be started by copying it to another machine. A password mechanism to unlock it would be acceptable.

Right now I am using VMware Server 1.0. I am open to other products.

Does anyone have any suggestions aside from writing a script to make use of VMware's API?
 
So you're wanting VMware Server to provide authentication to run the VM? That sounds fair to me. I wonder if a BIOS password can be configured on the VM. Lemme check my setup to see if that can be done.
 
I'm afraid my request isn't that simple. I need some sort of mechanism to prevent the copy of a virtual machine or to prevent it from running besides regular user rights management within the host operating system.

If there was some way I could encrypt the vmx, or compress an entire virtual machine into a single password protected file and set uuid.action = "create" that would also be acceptable.
 
what you need is ESX or ESXi, and virtual center. In a standalone environment, you can configure the user DB of the VC Server machine that's managing the ESX or ESXi hosts so that users can belong to groups, and you change user and group roles. Alternatively, you can make the VCServer machine (physical or VM) a member of a Windows AD and assign roles based on AD authentication.

I do not know of a way to do what you're trying to accomplish in VMWare server. Maybe just write a batch script to lock the VM's files? That's not a way that would provide easy management, though, and if VMWare server attmpted access (say, on reboot) to the file, it would not be able to start (or change the state of) the VM (say, in the instance of adding or removing hardware from the VM).

Or, you could just put the VM on a storage medium that no one else has access to, like a VLAN's iSCSI SAN, a locked NFS mount in a NAS, or on a FC array. That's more of a physical security thing, and would rely on no other users having administrative priveleges to those devices.

Or, run the VM on a laptop. You could also create an ACE package and put it on a thumbdrive (just came to mind).
 
sabregen said:
what you need is ESX or ESXi, and virtual center. In a standalone environment, you can configure the user DB of the VC Server machine that's managing the ESX or ESXi hosts so that users can belong to groups, and you change user and group roles. Alternatively, you can make the VCServer machine (physical or VM) a member of a Windows AD and assign roles based on AD authentication.

I do not know of a way to do what you're trying to accomplish in VMWare server. Maybe just write a batch script to lock the VM's files? That's not a way that would provide easy management, though, and if VMWare server attmpted access (say, on reboot) to the file, it would not be able to start (or change the state of) the VM (say, in the instance of adding or removing hardware from the VM).

Or, you could just put the VM on a storage medium that no one else has access to, like a VLAN's iSCSI SAN, a locked NFS mount in a NAS, or on a FC array. That's more of a physical security thing, and would rely on no other users having administrative priveleges to those devices.
Click to expand...

These are actually the solutions I'm trying to avoid I'm afraid.

sabregen said:
Or, run the VM on a laptop. You could also create an ACE package and put it on a thumbdrive (just came to mind).
Click to expand...

I'm actually unfamiliar with ACE packages. What kind of security do they offer? I think I'll look into this.
 
ACE is just a way of packing a VM into a portable medium. This is going to be another physical security solution, really. It'll allow you to have all of the VM files contained in a single package. The package also includes the ability to run the VM. This would allow you to build a VM using Workstation, Server, Fusion and then when it's all set, you bundle it up in an ACE package, put it on a thumb drive, and take it with you. Wherever you plug the thumg drive in, the Autoplay (it does require a Windows machine to run, IIRC) feature will pop up, and running the executable launches the VM in an interface similar to VMWare Player. You get no abilities to edit the VMs properties though. It's good for loading a 4GB thumbdrive with a VM that has a crapload of troubleshooting tools, for easy portability. Plus, it doesn't scratch like CD.

Not sure if this is what you're looking for, but you want to be the only person that has access to the VM, this might be an option. ACE is a licensed feature, but the ability to create ACE packages comes with Workstation (licensed) and ESX (licensed) by default. You can also buy it on it's own, or get the license for ESXi to make ACE packages. Here's the product page:

http://www.vmware.com/products/ace/ As with most VMWare licensed products, it's got an eval period. This one is 30days
 
sabregen said:
ACE is just a way of packing a VM into a portable medium. This is going to be another physical security solution, really. It'll allow you to have all of the VM files contained in a single package. The package also includes the ability to run the VM. This would allow you to build a VM using Workstation, Server, Fusion and then when it's all set, you bundle it up in an ACE package, put it on a thumb drive, and take it with you. Wherever you plug the thumg drive in, the Autoplay (it does require a Windows machine to run, IIRC) feature will pop up, and running the executable launches the VM in an interface similar to VMWare Player. You get no abilities to edit the VMs properties though. It's good for loading a 4GB thumbdrive with a VM that has a crapload of troubleshooting tools, for easy portability. Plus, it doesn't scratch like CD.

Not sure if this is what you're looking for, but you want to be the only person that has access to the VM, this might be an option. ACE is a licensed feature, but the ability to create ACE packages comes with Workstation (licensed) and ESX (licensed) by default. You can also buy it on it's own, or get the license for ESXi to make ACE packages. Here's the product page:

http://www.vmware.com/products/ace/ As with most VMWare licensed products, it's got an eval period. This one is 30days
Click to expand...

This sounds like exactly what I'm looking for. So I can build a VM like normal, specify uuid.action = "create" in the VMX, and then package it?

I'm going to download the eval and try it out, thanks!
 
I just recently nabbed my VCP, and I'm trying to stay as knowledgeable as possible, but at the risk of unveiling my ignorance, your reference to the uuid.action="create" string for the VMX eludes me. I don't know what that does. :(
 
sabregen said:
I just recently nabbed my VCP, and I'm trying to stay as knowledgeable as possible, but at the risk of unveiling my ignorance, your reference to the uuid.action="create" string for the VMX eludes me. I don't know what that does. :(
Click to expand...

It forces the VM to create a new UUID if you move it and attempt to boot it. That's sufficient for me to secure the VM inside of it as long as the person having access to the VM can't disable that option. :)
 
ACE packaging has copy protection built in. This is exactly what I'm looking for. I'm going to bring this up as a solution in next week's meeting. The cost for ease of management may be worth it. There's no doubt it would make deployment significantly easier.

Licenses can be purchased separately at $99 per client, but it seems like that's for a desktop VM Workstation client being managed. I'll have to ask VMware to get verification if that covers package use, if there's a separate license, or if there isn't one.

Edit: All the package is, is VMware Player and an integrated VM. That doesn't seem like it'd have any license cost.
 
Well, I'm glad I could at least get you pointed in the right direction. I believe they are charging for the ability to do ACE packages because it's a ginifcantly useful feature...and VMWare likes to make money from those. For example:

1) ESXi (installable) is free to download and use.
2) Virtual Center comes with a 60day trial where you get all the cool functions for free
3) You could run two ESXi boxes, and manage them with Center for 60days, to test it out, after that, to license VMotion, HA, DRS, Storage VMotion, etc...you have to pay a fee.
4) All of these features are already built into ESXi, but using them costs money...this is not a new model. ;)
 
You must log in or register to reply here.
Back
Top