In my last blog I hopefully pointed you down the path to testing the security configuration of your ESX server. By the way, this is not the end all be all for your security needs but just another arrow in your quiver of defense in depth. No one product is going to completely provide security–heck lots of products together can’t guarantee that statement.
But, I digress, so after you ran Tripwire ConfigCheck (ok more blatant plugging) you probably got a very dismal score. Do not be alarmed (or maybe be very alarmed) because in my experience this is very typical. When I visit with customers and run the initial assessment of their environments (physical and virtual) I see scores in the 30 – 65% range as quite normal. So where do you begin correcting these security weaknesses? First, before I make any generic recommendations, I would suggest that you talk with your Security Department (as I am assuming that you are more than likely the ESX Administrator) because there may already be corporate policies for the failed tests.
What?? No formally written corporate policies? I’m shocked! Ok, I’m actually not because again I see this quite often with my customers. I am going to point out a few tests in particular that if you failed you should immediately look into correcting. I’d like to take credit and say this is earth shattering news but in fact I am rehashing what many others have already said. Hopefully, if enough people write about this, people will start to take it seriously.
Segment your VMotion network onto its own physical network. It is well known that the when a virtual machine is moved from one server to another it is moved in the clear text, including what is written in memory. Depending on what the server does any number of things could be in memory and many a hacker would love to get their hands on this information.
Do not enable promiscuous mode. This may be useful for debugging from time to time but the use should be well documented because this feature could allow someone on the VM network to sniff traffic not intended for their virtual machine.
Disable both forged transmissions and MAC address changes. This will prevent MAC spoofing in an attempt to circumvent network routing security. These settings are enabled by default so take care when installing ESX.
This is a small sample of the many configuration tests that are checked but in the research I have done these appear to always rise to the top on everyone’s watch list.
Finally, if you haven’t evaluated the security of your ESX environment then take 10 minutes and run ConfigCheck. I’m not ashamed to plug this little utility because it will give you a starting point to understand areas of weakness. However, if you don’t like VMware’s recommendation, then use CIS. Ok, if you don’t like CIS then look at the new DISA STIG.
My point in all this is to do something. So many people just ignore security because it’s not their traditional job but if you work for a company and you manage their ESX environment, then it is YOUR job to make sure that environment is secure from malicious use.