S 2.449 Minimum use of console accesses to virtual IT systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Numerous commonly used solutions for virtualising IT systems provide the option of either logging in locally to the virtualisation server or to the virtualisation software using a network from a remote workstation with the help of client software (e.g. Citrix XenCenter or VMware Console). This client software serves to configure, as well as monitor and maintain, the virtualisation software on the virtualisation server. However, for server virtualisation products it must also be used in order to access the consoles of the virtual machines. Normally, this is the only option for these products due to the architecture of the virtual IT systems, since a virtual IT system does not have a physical console. In this way, the operating status of a virtual machine may also be monitored during the boot process, for example.

Virtual IT systems only consist of virtual hardware components for server virtualisation. These devices, such as network cards, bulk storage devices, and graphics cards, must be emulated by the virtualisation software. When emulating network cards and bulk storage devices, the commands of the virtual IT systems may normally be easily transmitted to the respective physical devices. Therefore, no complete emulation is required. However, graphics cards must normally be emulated completely by the virtualisation software. Therefore, the permanent existence of the graphics card is only feigned to the IT system for performance-related reasons. The actual emulation of the software is only started when the console interface of the virtual IT system is accessed. Normally, this requires significant processor and storage resources on the virtualisation server.

Since console accesses to the virtual IT systems have a strong influence on the performance of the administration software of a virtualisation server, they must be limited to the absolute minimum.

Thus, virtual IT systems should not be controlled using console accesses, but preferably via the network, e.g. via RDP or X-Window with the help of SSH tunnelling.

Review questions:

• Have the console accesses to the virtual IT systems been limited to the minimum so that they do not have any adverse effects on the performance of the virtualisation server?
• Are the virtual IT systems controlled via the network, e.g. via RDP or X-Window with the help of SSH tunnelling?