We have often heard phrases such as “a chain is only as strong as its weakest link” and in security that phrase really rings true. No matter how securely you configure an application, if the operating system is setup in an insecure manner then the application will always be at risk. This is especially true when it comes to virtualization. An insecure hypervisor leaves guest machines running on the infrastructure exposed to numerous kinds of risks. Many possible configurations are available when you install the hypervisor and if you aren’t careful you’ll check a box that can endanger your system to MAC spoofing or allow guest machines to see traffic that was not intended for them (as examples).
So how do you know what a proper configuration should look like? Thankfully, a couple of documents exist that can guide you in the secure setup of your ESX server. The first is the CIS ESX Server 3.x Benchmark for the ESX Server. The second document that provides security guidance is none other than VMware’s VMware Infrastructure 3 Security Hardening. You will find common recommendations between the two guidelines but in my experience the VMware guideline locks down the hypervisor even more, which will make it harder for an attacker to exploit any weaknesses. As with any change made in a production environment, be sure to test these configuration changes thoroughly in your QA/staging environment so you do not have any unexpected issues.
Even after you download these guidelines, how can you verify the settings are correct within your own environment? You could do this manually but that can be laborious and fraught with errors, so I guess this is where I plug Tripwire (I do like the checks they give me every couple of weeks). However, in this case I’m not saying you have to purchase anything but instead you can download Tripwire ConfigCheck that will not only check the configuration state of your hypervisor, but will also provide remediation guidance if you decide you want to correct the configuration setting. This free utility currently checks the settings as compared to the VMware Security Hardening guideline published by VMware. Now of course not all security tests are created equal so you’ll want to pay attention to certain settings first, which will be covered in my next blog.
So now you have a starting point to test and correct any security issues with your ESX environment.