The VMware ESXi hypervisor is natively relatively secure, but you can boost ESXi security further by protecting the VMkernel, the virtual machines themselves and the virtual network layer.
As a Type 1 hypervisor, VMware ESXi operates like firmware installed directly on top of the computer hardware. Type 1 hypervisors do not run on a host operating system, which means there is no additional protection required for an OS. But, you still have to secure three other components of the infrastructure if you want solid ESXi security.
Guard the VMkernel
First, VMware security involves protecting the VMkernel, which controls communication with the server hardware. There’s not much you need to do to secure the kernel. It’s already secured using kernel module integrity, memory hardening and the Trusted Platform Module. The only ESXi security feature that you might have to enable manually is the Trusted Platform Module, which helps the kernel verify the hardware it’s using. You can enable this VMware security feature in the server BIOS, as well as in the ESXi advanced settings.
Secure individual VMs
The second layer of ESXi security is the VMs themselves. By design, VMs are isolated machines that can communicate with the hypervisor, but aren't capable of interfering with each other. However, in a Denial of Service (DoS) attack, one VM uses all the available resources and the other VMs cannot be reached.
To prevent DoS attacks on your VMs, configure the amount of CPU cycles that a VM can use at any time, ensuring that there's always enough capacity left for the other VMs.
It goes without saying that you should also take appropriate measures to protect the OS instance in the VM itself.
Protect the virtual network
The final aspect of ESXi security is the virtual network layer, which consists of virtual network cards (virtual NICs) and virtual switches (vSwitches). Securing the VMware ESXi network is essential because not only does it allow the VMs to communicate with the outside world, it’s also used for management, communication between hosts and connections to iSCSI or network-attached storage.
First, make sure that different parts of the ESXi network are isolated from each other. When you install ESXi, VMware security measures take care of this automatically. The hypervisor uses different vSwitches for management and communication between virtual nodes, and VMware lets you use virtual LAN technology to completely isolate nodes on different networks. But that’s not all. You should configure a firewall as well, which requires that you know exactly which network ports should be open in your configuration.
VMware ESXi security can make or break your infrastructure. Take these important VMware security measures to protect each VM, the VMkernel and the virtual network.