The VMware ESXi hypervisor is natively relatively secure, but you can boost ESXi security further by protecting the VMkernel, the virtual machines themselves and the virtual network layer.
As a Type 1 hypervisor, VMware ESXi operates like firmware installed directly on top of the computer hardware. Type 1 hypervisors do not run on a host operating system, which means there is no additional protection required for an OS. But, you still have to secure three other components of the infrastructure if you want solid ESXi security.
Guard the VMkernel
First, VMware
security involves protecting the VMkernel, which controls communication with the server
hardware. There’s not much you need to do to secure the kernel. It’s already secured using kernel
module integrity, memory hardening and the Trusted Platform Module. The only ESXi security feature
that you might have to enable manually is the Trusted Platform Module, which helps the kernel
verify the hardware it’s using. You can enable this VMware security feature in the server BIOS, as
well as in the ESXi advanced settings.
Requires Free Membership to View
When you register, my team of editors will also send you alerts covering all areas of VMware, such as implementing VMware-related virtualization technologies for server consolidation, disaster recovery and backup strategies, management and performance, VM migration and more.
Margie Semilof, Editorial Director
Secure individual VMs
The second layer of ESXi security is the VMs themselves. By design, VMs are isolated machines
that can communicate with the hypervisor, but aren't capable of interfering with each other.
However, in a Denial of Service (DoS) attack, one VM uses all the available resources and the other
VMs cannot be reached.
To prevent DoS attacks on your VMs, configure the amount of CPU cycles that a VM can use at any time, ensuring that there's always enough capacity left for the other VMs.
It goes without saying that you should also take appropriate measures to protect the OS instance in the VM itself.
Protect the virtual network
The final aspect of ESXi security is the virtual
network layer, which consists of virtual network cards (virtual NICs) and virtual switches
(vSwitches). Securing the VMware ESXi network is essential because not only does it allow the VMs
to communicate with the outside world, it’s also used for management, communication between hosts
and connections to iSCSI or network-attached storage.
First, make sure that different parts of the ESXi network are isolated from each other. When you install ESXi, VMware security measures take care of this automatically. The hypervisor uses different vSwitches for management and communication between virtual nodes, and VMware lets you use virtual LAN technology to completely isolate nodes on different networks. But that’s not all. You should configure a firewall as well, which requires that you know exactly which network ports should be open in your configuration.
VMware ESXi security can make or break your infrastructure. Take these important VMware security measures to protect each VM, the VMkernel and the virtual network.
This was first published in October 2011
Join the conversationComment
Share
Comments
Results
Contribute to the conversation