August 1st, 2008
Desktop virtualization - where should the anti-virus run?
Let’s for a moment visualize a virtualized desktop environment. An operating system offering a type 2 hypervisor is acting as the primary operating system in a desktop virtualization implementation. This could be Linux sporting Xen or KVM. It could be Windows running something like Parallels or Virtual PC. It could be Mac OS running Fusion or Parallels. One person could be using the resources of all of these virtual machines or it could be an environment for a workgroup. The key question is where should the anti-virus software run and why?
One thought would be that the primary operating system should be set up to protect all of the others. This, of course, is unlikely to really work due to the level of isolation the guest operating systems have from the primary operating system. It is likely that a person using one of the guests could still find a way to get into trouble.
Another thought would be to install the anti-virus software on each of the guest operating systems. This approach is problematic as well. While the guests might be well protected, the primary operating system still could become infected and then infect all of the guest operating systems from the inside. Another problem would be the load this could place on the physical system when all of the guests decide that they want to scan for virsuses at the same time.
A third thought is to run virus protection in both the primary and all of the guest operating systems. This approach leads to problems of its own. Just how many copies of virus protection software must the organization acquire to support its IT infrastructure. This approach seems to maximize the number of copies of software that would be required. This seems contrary to the goal of consolidating to achieve greater efficiency.
Some desktop virtualization suppliers, such as Neocleus, suggest that it is wise to consider using a type1 hypervisor to prevent people from logging into the primary operating system and causing the problems seen in examples 2 and 3.
What’s your view? What do you think would be the best approach?
Daniel Kusnetzky is a member of the senior management team of The 451 Group. He is responsible for research and publications on a broad array of technology topics. He examines emerging technology trends, vendor strategies, research and development issues, and end-user integration requirements. You can follow Dan on Twitter. See his full profile and disclosure of his industry affiliations.
Subscribe to Virtually Speaking via Email alerts or RSS.
