VMware's ESXi will cost you if not secured properly
Now that ESXi has been released for free, it is even more important to concentrate on how to secure this version of ESX. Lowering the cost will undoubtedly increase the number of users in small- and mid-sized companies, and in the enterprise as well.
Despite a design that calls for it to be pre-installed or embedded, I have blogged before that ESXi shouldn't be treated only as an appliance, especially as regards security. Additional hardening steps are required to make it reasonably secure.
There are very good guides out there now to harden the GNU/Linux service console specifically the Defense Information Systems Agency's Secure Technology Installation Guide ( DISA/STIG) and CIS Security Benchmark which both reference the UNIX and Linux guides respectively as a basis for ESX.
The guides concentrate on a subset of the entire virtual environment which includes ESX, and the VMs, but is not limited to them.
However, the descriptions of what the guides actually cover are imprecise enough that one reader may think they cover only ESX and others will think they cover everything about VM security. But that is another discussion.
The 'Console' for ESXi is an implementation of the Posix variant of Unix within a Busybox framework, and it has many features that you will find in the full blown GNU/Linux service console, including Pluggable Authentication Modules, usernames and passwords, and daemons like Secure Shells (SSH). While enabling SSH within ESXi is not recommended by me nor supported by VMware, I imagine it is enabled on a majority of installs.
This implies now that the hardening guidelines for SSH should be now used, as well as anything related directly to PAM modules, users, and passwords.
But since with SSH enabled users can login to the system, we now need to be concerned about file permissions, and in advertent information leakage about virtual machines, and the system itself.
While ESXi is sold as an appliance and has some hardening guidelines from VMware, the Busybox'Console' should also be hardened as well using standard GNU/Linux hardening guidelines specifically adjusted for ESXi.
Virtualization expert Edward L. Haletky is the author of "VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers," Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.
» posted by ITworld staff
CIO.com
Build your tech library with our book giveaways.
Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams
Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!
Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media
Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!
