Questions on Locking down ESXi

mikecLA

Weaksauce
Joined
Jan 20, 2011
Messages
101
I am about ready to take my server over to a datacenter for colocation and want to make sure I have it as secure as possible before going live.

Management is isolated to one physical LAN card, and firewall in vsphere is set to only allow access from my LAN ip's and my office IP address. I have it set on SSH Server, vsphere Client and vsphere web access. What other checked services should I lock out?

In my networking setup, I have vswitch1 connected to a different physical NIC, labeled WAN, pfsense is the only VM running. Vswitch2 connected to no physical adapters, pfsense, and my VM's, with public IP's NAT routed through pfsense to the correct VM's on the local lan with http port forwarding only.

Everything seems to work, the only access outside of my office network is to the websites hosted on the VM's but want to make sure, especially on what other services/ports need to be locked down on the management interface.

Thanks ahead of time.
 
Make sure you keep it patched with the latest ESXi patches:

http://www.vmware.com/patchmgr/download.portal

Make sure the vSwitch1 for your external traffic is configured in a hardened manner (promiscuous mode disabled, minimum number of ports, etc.). I am sure VMware has a best practices guide for this, too.

Truthfully, the pfsense will be the biggest vulnerability.
 
Well, there is a hardening guide, for 5.1 that has been released. A swift google search for the 5.1 security hardening guide should turn it up. It is broken down by host, vCenter, networking etc etc. As for physical security, it is only as safe as the facility makes it.

I can't agree with your decision, if you made it, to dedicate physical NICs to a purpose. If so, you have single points of failure which is never a good idea. You should team them and use VLANs if possible to separate traffic.

You can also go to www.disa.mil, click the STIG link at the bottom of the site, and then go to the master a-z list (go to e, for ESXi). You can download the draft ESXi 5.1 STIG. Not in final form, but isn't a bad companion to the vendor released guide.

You can do some crazy things, even disabling the DCUI. Some things, like this, are just a bad idea... you may end up so secure it won't work OR if you have a problem are unable to troubleshoot well from remote.
 
Well, there is a hardening guide, for 5.1 that has been released. A swift google search for the 5.1 security hardening guide should turn it up. It is broken down by host, vCenter, networking etc etc. As for physical security, it is only as safe as the facility makes it.

I can't agree with your decision, if you made it, to dedicate physical NICs to a purpose. If so, you have single points of failure which is never a good idea. You should team them and use VLANs if possible to separate traffic.

You can also go to www.disa.mil, click the STIG link at the bottom of the site, and then go to the master a-z list (go to e, for ESXi). You can download the draft ESXi 5.1 STIG. Not in final form, but isn't a bad companion to the vendor released guide.

You can do some crazy things, even disabling the DCUI. Some things, like this, are just a bad idea... you may end up so secure it won't work OR if you have a problem are unable to troubleshoot well from remote.

Thanks!

Took me a while, but I finally figured it out... Teamed 2 Nics, VLAN set up, and ESXI firewall is set to only allow management connections from two static ip's, one I am usualy at, if not, I can use logmein to get to that computer and add an ip from where I may be.
 
Make sure you keep it patched with the latest ESXi patches:

http://www.vmware.com/patchmgr/download.portal

Make sure the vSwitch1 for your external traffic is configured in a hardened manner (promiscuous mode disabled, minimum number of ports, etc.). I am sure VMware has a best practices guide for this, too.

Truthfully, the pfsense will be the biggest vulnerability.

Yikes. I'm about to do this, I thought pfsense was good.

How is it that pfsense is the biggest vulnerability?
 
Yikes. I'm about to do this, I thought pfsense was good.

How is it that pfsense is the biggest vulnerability?

I was wondering the same thing, but in any event, every VM also has it's own firewall.
 
Well, there is a hardening guide, for 5.1 that has been released. A swift google search for the 5.1 security hardening guide should turn it up. It is broken down by host, vCenter, networking etc etc. As for physical security, it is only as safe as the facility makes it.

I can't agree with your decision, if you made it, to dedicate physical NICs to a purpose. If so, you have single points of failure which is never a good idea. You should team them and use VLANs if possible to separate traffic.

You can also go to www.disa.mil, click the STIG link at the bottom of the site, and then go to the master a-z list (go to e, for ESXi). You can download the draft ESXi 5.1 STIG. Not in final form, but isn't a bad companion to the vendor released guide.

You can do some crazy things, even disabling the DCUI. Some things, like this, are just a bad idea... you may end up so secure it won't work OR if you have a problem are unable to troubleshoot well from remote.


The draft STIG is for 5.0 instead of 5.1 and is pretty useless since it's just a copy of the hardening guide with a few tweaks that make no sense. I would check out the hardening guide but use some common sense as some of the recommendations will cripple your environment.
 
Ok, it's a cisco forum ('09 thread) and pfsense didn't get any hate,

http://www.networking-forum.com/viewtopic.php?t=13819

that should mean something.

also, fwiw, vulnerabilities database
https://web.nvd.nist.gov/view/vuln/search-results?query=pfsense&search_type=all
http://www.cvedetails.com/product/21763/Pfsense-Pfsense.html?vendor_id=11749

And while I'm on it, is there any better source for vulnerabilities other than the 2 above? Thanks

EDIT: relevant quotes from thread

I'm a big Cisco proponent, and I love the ASAs (with the exception of some obvious flaws, as previously mentioned). However, pfSense has got to be one of the best firewall platforms available. If it'll do what you need it to do, it'll certainly save you a lot of money. I'd also say go with pfSense. I can't speak to how many connections that box could handle, so I'll let the other guy answer that.

Depends on exactly what you need. If pfSense has all the features you require, a couple boxes in failover is a proven rock solid datacenter deployment. And commercial support is available, still keeping your cost well below a comparable Cisco solution. I've helped numerous customers deploy solutions just like this, from the design stage to configuration and deployment. (I'm one of the founders of the pfSense project, and make most of my living supporting it, and do a lot of PIX/ASA conversions). I'm sure being a Cisco-centric board you're probably going to get a lot of doubters, but it's truly a widely proven solution.

I like Cisco gear as well, I've been Cisco certified for a decade, and do manage quite a bit of PIX and ASA gear. The quality of their releases, especially with ASDM and constant Java breakage, has really peeved me over the past few years. We would *never* get away with putting out crap releases with such obvious bugs and not fixing them for years, not sure how a multi-billion dollar corporation gets away with things that an open source project would get hammered over. Plus you currently have to run a Java version with security vulnerabilities to use ASDM. Thanks, Cisco... :roll: With that said, I still do like PIX/ASA gear for the most part.

There is never one solution that's perfect for every environment, sometimes Cisco is a better fit. Datacenter type deployments are one of the best suited for pfSense, so it sounds like it's probably a good solution for your environment.
 
Back
Top