VMware ESXi security: Protecting VMs, VMkernel and the network

The VMware ESXi hypervisor is natively relatively secure, but you can boost ESXi security further by protecting the VMkernel, the virtual machines themselves and the virtual network layer.

As a Type

    Requires Free Membership to View

1 hypervisor, VMware ESXi operates like firmware installed directly on top of the computer hardware. Type 1 hypervisors do not run on a host operating system, which means there is no additional protection required for an OS. But, you still have to secure three other components of the infrastructure if you want solid ESXi security.

Guard the VMkernel
First, VMware security involves protecting the VMkernel, which controls communication with the server hardware. There’s not much you need to do to secure the kernel. It’s already secured using kernel module integrity, memory hardening and the Trusted Platform Module. The only ESXi security feature that you might have to enable manually is the Trusted Platform Module, which helps the kernel verify the hardware it’s using. You can enable this VMware security feature in the server BIOS, as well as in the ESXi advanced settings.

Secure individual VMs
The second layer of ESXi security is the VMs themselves. By design, VMs are isolated machines that can communicate with the hypervisor, but aren't capable of interfering with each other. However, in a Denial of Service (DoS) attack, one VM uses all the available resources and the other VMs cannot be reached.

To prevent DoS attacks on your VMs, configure the amount of CPU cycles that a VM can use at any time, ensuring that there's always enough capacity left for the other VMs.

It goes without saying that you should also take appropriate measures to protect the OS instance in the VM itself.

Protect the virtual network
The final aspect of ESXi security is the virtual network layer, which consists of virtual network cards (virtual NICs) and virtual switches (vSwitches). Securing the VMware ESXi network is essential because not only does it allow the VMs to communicate with the outside world, it’s also used for management, communication between hosts and connections to iSCSI or network-attached storage.

First, make sure that different parts of the ESXi network are isolated from each other. When you install ESXi, VMware security measures take care of this automatically. The hypervisor uses different vSwitches for management and communication between virtual nodes, and VMware lets you use virtual LAN technology to completely isolate nodes on different networks. But that’s not all. You should configure a firewall as well, which requires that you know exactly which network ports should be open in your configuration.

VMware ESXi security can make or break your infrastructure. Take these important VMware security measures to protect each VM, the VMkernel and the virtual network.

This was first published in October 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.