分类: 虚拟化
2011-09-12 20:55:50
are an optional set of drivers and utilities that improve the performance and manageability of virtual machines. But there’s a debate about whether the benefits of installing VMware Tools outweigh the potential virtual security risks that it introduces.
On one hand, VMware Tools replaces many of the guest operating system drivers that were designed for physical hardware. These optimized drivers can drastically improve performance and functionality (e.g., providing copy-and-paste capabilities between the host and VM). But the installation of VMware Tools also adds potential virtual security vulnerabilities to an otherwise secure infrastructure.
In this face-off, two experts debate the merits of running VMware Tools.
Creating unnecessary virtual security risks with VMware
Tools
vs.
Realizing a virtual infrastructure’s potential with VMware Tools
Creating unnecessary virtual security risks with VMware
Tools
By Edward Haletky, Contributor
VMware Tools, specifically its paravirtualized drivers, are often the attacked components of virtual machines. As such, I recommended using native guest OS drivers when possible and reserve installing paravirtualized drivers for must-have VM functionality.
Paravirtualized drivers are aware of the underlying virtualization layer, so they can take shortcuts through the driver layer, specifically to directly call the shared memory segment between the guest OS and the VM object. But they add another attack surface to your virtual infrastructure. In theory, attacking these drivers could lead to a denial of service (crashing the VM) or a hacker escaping the VM (gaining access to other VMs or the host) -- a big fear in virtualization today.
Many attacks of the Escape-the-VM nature have been successful against nearly every type-2 hypervisor, such as VMware Fusion, Player, Workstation and Server as well as Microsoft Virtual Server and Oracle VirtualBox. But no attack has successfully gained access to another VM within any bare-metal hypervisor, such as VMware vSphere, Citrix Systems XenServer or Microsoft Hyper-V.
However, there have been several VMware Tools paravirtualization drivers that have caused security problems in vSphere:
Paravirtualized drivers should deliver must-have functionality to a VM, and you should opt for guest OS drivers when possible to limit virtual security risks.
By Eric Siebert, Contributor
The rewards gained from installing VMware Tools far outweigh the slight virtual security risks it introduces.
VMware Tools isn’t required and a VM can run OK without them, but you’d miss out on a lot of features and functionality by not installing them. More importantly, forgoing VMware Tools prevents a VM from reaching its full performance potential.
The Windows operating system, for example, includes generic hardware drivers based on industry-standard physical hardware. In a Windows guest, VMware Tools replaces those generic drivers with ones that are optimized for virtualization and that deliver better performance.
In addition, installing VMware Tools supplies VMware’s high-performance virtual hardware, such as the pvSCSI adapter, the VMXNET3 network adapter and the VMCI adapter.
VMware Tools also provides other, important functionality:
VMware Tools also helps in other, little ways. It can sync a VM’s clock to a host, which is important for logging and authentication. It allows better integration with remote console sessions. Without VMware Tools, for example, mouse control is erratic in a VM, and you constantly have to press CTRL+ALT to release the cursor from console windows. VMware Tools also adds a higher resolution display driver, which makes it easier to interact with a VM.
I understand the virtual security implications but I’ve never heard of anyone using VMware Tools to compromise the hypervisor, VMs or hosts. Even VMware doesn’t recommend against running VMware Tools for security reasons. Instead, the company recommends disabling some functionality -- such as the clipboard for copying and pasting -- in the .
Without VMware Tools, your environment becomes more difficult to manage and less efficient. I personally think the rewards that you gain from using VMware Tools far outweigh any slight risks you may take by not installing them.