While virtualization lowers cost and increases agility, it can also leave hypervisors vulnerable to security breaches. As Type 1 hypervisors, both ESX and ESXi run directly on server hardware without requiring an underlying operating system, or additional security for such an OS. Nonetheless, there are still multiple components to consider to ensure the hypervisor is completely secure.
The following tips offer useful information and best practices for troubleshooting and securing ESX and ESXi, as well as the new security features offered in ESXi 5.
Table of contents:
ESXi firewall functionality in vSphere 5
Previously, only ESX came with a firewall, but with the release of vSphere 5, VMware added a firewall to ESXi. Though not as robust as commercial virtual firewalls, the ESXi firewall is equivalent to the service console firewall on ESX platforms and will help IT pros maintain the security of their environment. Learn more about this firewall, and other security features in vSphere 5.
VMware ESXi security: Protecting VMs, VMkernel and the network
As is the case with all infrastructures, effective, reliable security is paramount to the success of your VMware environment. Fortunately, ESXi is relatively secure, and as a Type 1 hypervisor, you need no additional protection for an OS. For complete ESXi security, however, you must guard the VMkernel, individual VMs and the virtual network as well.
VMware ESXi security FAQ: Guarding the hypervisor, hosts and more
When it comes to securing a VMware ESXi environment, you must consider multiple layers. You also have multiple security methods at your disposal. Understanding your options, as well as new vSphere 5 security features, will help you easily and effectively ensure solid ESXi security.
Replacing self-signed SSL certificates to improve ESXi security
ESXi uses self-signed SSL certificates for a secure connection between client and server. This default setting remains secure, provided the communication stays within a private network. If your organization hopes to establish a remote-management session with a vSphere infrastructure, or simply send traffic over the Internet, you may want to replace SSL certificates with those signed by a trusted third party to give users an added sense of security.