Securing your VMware infrastructure is a multi-layered process: you need to guard the ESXi hosts, virtual machines...
and the hypervisor itself. VMware ESXihas taken center stage in vSphere 5, but the hypervisor comes with some new ESXi security considerations.
More on VMware ESXi security
VMware security best practices guide
VMware security cheat sheet for PCI DSS 2.0 compliance
Top 10 VMware security tips for vShield users
Breaking down the VMware vShield security suite
There are lots of ways to ensure solid VMware ESXi security. Configuring the ESXi firewall correctly, adding network security, and locking down user accounts are all paramount. It’s also a good idea to learn about the new security features in vSphere 5.
The answers to the following frequently asked questions about VMware ESXi security will help you outline all the components you need to protect, harden your infrastructure, and bring to light some new VMware security capabilities.
What components should I focus on for VMware ESXi security?
ESXi is natively pretty secure. Type 1 hypervisors such as VMware ESXi do not run on a host operating system, meaning there is no additional protection required for an OS. To boost ESXi security, though, you can manually configure some additional VMkernel settings. You should also make sure different parts of the ESXi network are isolated from one another, and secure individual virtual machines.
What’s new in vSphere 5 security?
You’ve probably heard that VMware updated its security suite to vShield 5, but the new virtualization platform also offers logging improvements, an ESXi firewall and a new way to securely deploy ESXi hosts. To boost vSphere security, the Auto Deploy feature helps you deploy numerous hosts at once and configures those hosts with Host Profiles to ensure consistency. With Auto Deploy, for instance, you can make sure your firewall settings are exactly the same for all ESXi hosts in a cluster.
How can I secure the ESXi hypervisor?
You can maximize VMware hypervisor security by implementing both physical and virtual firewalls. Also make sure to distribute host resources so that a single VM doesn’t over-consume and cause an outage. You can do so by creating resource pools and assigning them to set VMs. In vSphere 5, the Storage I/O Control and Network I/O Control features provide additional resource control.
You can also secure the hypervisor by ensuring that only one user can access a VM’s console at once, which can occur if you have remote users connecting simultaneously. And finally, don’t let administrators have too much power. Create specific user accounts and enable Lockdown Mode on your ESXi hosts, which prevents direct access to them though APIs, command-line utilities and the vSphere Client.
What are some VMware security breaches I should watch out for?
Some areas are easier for hackers to penetrate than others: the host management console, ESXi remote consoles, VM data stores and the network. If someone accesses the virtual machine disk file in the data store, they can copy the entire VM and upload it elsewhere. To avoid VMware security breaches, you also need to protect the virtual network. Miscommunication between the server and network teams can easily result in incorrect configurations when moving a VM between virtual LANs, for instance.
How do VMware user accounts provide ESXi security?
You can increase ESXi security by creating user accounts for each host and customizing those accounts. VMware comes with default accounts, but it’s best to add new ones with specific privileges. That way, you have more control about who can do what on each host. The process of customizing VMware user accounts is pretty simple, and you can also assign permissions to individual users or groups of users.
How do I configure the VMware ESXi firewall?
VSphere 5 introduced a new ESXi firewall that you can configure with the vSphere Client or the command line. Enabled by default, this stateless firewall works a bit differently than the ESX Server firewall in the way it defines port rules for services. With the VMware ESXi firewall, you can also specify the IP addresses or range of addresses that are allowed to access each service for remote hosts.