The release of VMware vSphere 5 brought a number of vSphere security enhancements. Here are the top five vSphere security features you need to know about in the new version:
1. ESXi firewall
With ESX Server being discontinued with VMware vSphere 5, VMware took action to ensure that ESXi has all the security capabilities needed to fulfill its role as the company’s sole hypervisor. One of the features VMware admins were used to in ESX was the stateful Linux-based iptables firewall.
With VMware vSphere 5, the company added a firewall to ESXi. This firewall is a service-based firewall, tied to the specific applications you start on a host. Unlike most firewalls, it’s a stateless firewall that only protects the VMkernel interface (not the virtual machine network).
You can configure the ESXi firewall from the vSphere Client under the Configuration tab and Security Profile.
2. VMware vShield 5
While it’s not a required piece of VMware vSphere 5, the vShield suite is your best bet for locking down a vSphere 5 environment. New features include:
- Data Security option, which scans data flowing across a virtual infrastructure (especially sensitive company data)
- Role-based access control
- Application-aware firewalling
- Multi-tenant IP zones
- Static routing in vShield Edge
3. Logging improvements
The three cornerstones of vSphere security are authentication, authorization and accounting. Of course, accounting (also called logging) provides an accurate log of who does what and when. VMware vSphere 5 includes a number of improvements to its accounting capabilities.
VMware vSphere 5 includes more options for centralized logging and data collection in the event of a server crash. Built into the new vCenter Server Appliance (vCSA) as well as the Windows version of vCenter 5 are options to easily enable centralized syslog and dump collection capabilities. You simply turn these options on from the vCSA Web interface (Figure 1).
You can no longer use the vSphere Management Assistant for ESXi log collection; you have to use the standard syslog mechanisms. If you have a syslog infrastructure already (to log things such as router and switch events), adding ESXi hosts to that system is a great option. (In other words, you don’t have to use the vCSA if you don’t want to.) The vCenter for Windows installation media contains the option to install the syslog server and dump collector.
4. Auto Deploy and Host Profile enhancements
For shops that need to roll out ESXi hosts en masse, VMware vSphere 5 offers a great new way to ensure host security in the process. The new Auto Deploy feature uses PXE booting to boot servers and install ESXi 5. Once installed, those servers are configured using Host Profiles (which have also been enhanced in vSphere 5).
Host Profiles improve vSphere security by ensuring that all ESXi servers in the infrastructure are configured the same way. For instance, you can ensure that SSH is disabled on all hosts or that a certain port is open on the firewall. You could also use Host Profiles to configure the network time protocol and syslog logging on all ESXi hosts.
5. Root password during interactive installation
I know it isn’t really a vSphere 5 security “feature,” but one of the first things I noticed when I went to install ESXi 5 is that I was prompted for a root password before the installation started. With ESXi 4.1, the installation would complete and the root account would have a blank password. Most admins would go in and immediately change it, but it’s easy to forget, and having a host with a blank password is a major vSphere security concern.
Bonus: Host image profile acceptance levels
Most of the notorious Windows “blue screen of death” issues are caused by third-party drivers installed in the OS. The same “purple screen of death” can appear with vSphere if you have driver issues. To prevent these problems and boost vSphere security, VMware has created the host image profile acceptance level in VMware vSphere 5. This feature allows you to specify acceptable sources of ESXi drivers.
For instance, you could configure it to only accept drivers from VMware or VMware partners who certified their drivers. This improves vSphere security by ensuring that your servers don’t contain malicious drivers from unknown sources. If an attacker can compromise the ESXi hypervisor, they may be able to compromise the virtual machines and application data.
This was first published in January 2012