Information Technology Reference
In-Depth Information
Some virtualization technologies offer the ability to modify the security envi-
ronment of VEs. Configurable security enables you to selectively harden different
aspects of a VE by allowing a VE to perform only those actions needed for its
workload. An example is immutable service containers, which are described in
Chapter 6, “Oracle Solaris Containers.”
Any software component has the potential to create a security weakness, and
virtualization software is no different. Virtualization software must be subject to
the same stringent security analysis as other infrastructure software. For more on
this topic, see the topic Solaris Security Essentials.
If the hypervisor can limit inter-VE interaction to that already possible between
separate computers, the hypervisor cannot be used as a covert channel and has
not reduced security compared to separate systems.
1.2 System Virtualization Models
Many different models for system virtualization have been developed. They share
many traits, but differences between them abound. Some virtualization features
are appropriate for some models, others are not.
Each model can be described in terms of two characteristics: flexibility and
isolation. Those two characteristics have an inverse relationship: Typically, the
more isolation between VEs, the less flexibility in resource allocation. Conversely,
flexibility requires sharing, which reduces isolation. You can then create a spec-
trum of resource flexibility versus workload isolation and place any particular vir-
tualization model or implementation on that continuum, as shown in Figure 1.15.
Figure 1.15 Virtualization Spectrum
 
 
Search WWH ::




Custom Search