Archive for September, 2011

New ESXi and vSphere 5 Security Features

September 12th, 2011 No comments

As most of you know, I spend a significant amount of my time with virtualization technologies and discussing virt security, with a sprinkling of cloud thrown in. Given the recent updates to VMware’s vSphere product line, I decided to post a simple summary of the available security features and capabilities in the product, namely in vCenter and ESXi v5. These are in no particular order, and I’m not striving to be the most thorough in any of these. For those of you looking to get a fairly quick overview, as well as some key pointers and additional resources that I’ve found useful, this should be helpful.

1. A New ESXi Firewall: Although many would argue that the firewall capabilities built into previous versions of ESX were, umm…less than adequate, we all got a real shock when ESXi didn’t even give us THAT much. So…now we’ve got one. Albeit a STATELESS one (aaargh!) For those of you used to managing the ESX firewall through the vCenter management console, you’re in luck – the location is the same, and the general layout is similar, as well. Simply navigate to Configuration –> Security Profile and you’ll see it right away, as shown here:

There are some new features to be aware of. First, you can now configure incoming and outbound TCP and UDP ports, which is a plus. By selecting Properties, you can choose existing rules and modify the ports, as well as IP addresses and subnets that can connect, as shown here:

You can also configure the firewall rules at the ESXi Shell, or via SSH. This is where you’ll likely want to configure any specific rulesets that require definition of custom services. There are several options for doing so. The first is to modify the existing XML files at /etc/vmware/firewall/service.xml and /etc/vmware/service/service.xml. These files contain information on existing services that are recognized on the host platform. Another option is to define new and customized files in the /etc/vmware/firewall folder. You’ll need to define any specific services you want, as well as the direction (inbound/outbound), protocol, ports, etc. An example of a service called (what else) Shack is shown here:


To ensure this gets included in the ruleset, run the command esxcli network firewall refresh. To see the firewall list of services, you can then run the command esxcli network firewall ruleset list. This is shown in the next screenshot:

Now, you can start tweaking things more seriously by ensuring not everyone can connect to these services, and specifying the IP addresses that *are* allowed. The next screenshot includes those commands:

A great list of the new esxcli firewall commands can be found at VMware’s site here.

2. Enhanced Logging: ESXi v5 has a different, more granular set of Syslog capabilities and files than previous versions. TCP, UDP, and TCPS (SSL)-based logging are all supported, along with multiple log hosts, built-in size and rotation control, etc. For admins and security/audit folks who have hunted all over the place for log and config files and tried to tweak settings for them in the past, the latest version will likely be a Godsend. The configuration for logging is broken into several components. The default syslog config file is called /etc/vmsyslog.conf, and contains minimal information by default. Individual files for specific log types can also be found in the /etc/vmsyslog.conf.d folder. One of these files may look like the following:

Modifying log settings can be done with the esxcli command set. The following are some simple examples:

esxcli system syslog config logger set –id=fdm –rotate=20 –size=2048
This command will set “fdm” logs to rotate up to 20 cycles, with a maximum log size of 2048 KB.

esxcli system syslog config logger list
This command will list the various log types on the host itself.

esxcli system syslog config set –default-rotate 20 –loghost tcp://,ssl://
This command sets the rotation default to 20 for all log types, and sends them to two remote log hosts using TCP and secure TCP protocol implementation

3.┬áHost Image Profile Acceptance Levels: This is a sort of “integrity level check” for VMware Installation Bundles, or VIBs. Four levels are available that range from very strict (VMware Certified) to downright promiscuous (Community Supported). This can be configured through a host’s Security Profile in vCenter:

4. Other stuff: There are plenty of other security features in ESXi and vSphere in general, not all of which are brand spanking new in v5. v5 does have improved MIB support for SNMP v2, which is an improvement for monitoring hosts. v5 does force you to set a root password prior to accessing any sort of console. Native integration with Active Directory, LDAP, and Kerberos is built-in, and IPSec is natively supported for all 14 organizations using IPv6. The list goes on. Here’s a few more GREAT resources that you should familiarize yourself with:

There’ll be plenty more coverage of ESXi 5 and vSphere in general soon as more people start adopting these versions. With that will come more security guidance, to be sure. In fact, Paul Henry, Rob Vandenbrink, and I are updating our SANS course that will cover this and other topics in much more depth, and we’re looking to run this late this year and in January: SEC579 course site.


Categories: Information Security Tags: