by Edward L. Haletky

VMware’s Free ESXi Will Cost You if it’s Not Secured Properly

Aug 06, 20083 mins

Cutting the price of the embedded version of ESX will expand its user base, but it will also make customers vulnerable if they assume "appliance" means "secure out of the box."

Now that ESXi has been released for free, it is even more important to concentrate on how to secure this version of ESX. Lowering the cost will undoubtedly increase the number of users in small- and mid-sized companies, and in the enterprise as well.

Despite a design that calls for it to be pre-installed or embedded, I have blogged before that ESXi shouldn’t be treated only as an appliance, especially as regards security. Additional hardening steps are required to make it reasonably secure.

There are very good guides out there now to harden the GNU/Linux service console specifically the Defense Information Systems Agency’s Secure Technology Installation Guide (DISA/STIG) and CIS Security Benchmark which both reference the UNIX and Linux guides respectively as a basis for ESX.

The guides concentrate on a subset of the entire virtual environment which includes ESX, and the VMs, but is not limited to them.

However, the descriptions of what the guides actually cover are imprecise enough that one reader may think they cover only ESX and others will think they cover everything about VM security. But that is another discussion.

The ‘Console’ for ESXi is an implementation of the Posix variant of Unix within a Busyboxframework, and it has many features that you will find in the full blown GNU/Linux service console, including Pluggable Authentication Modules, usernames and passwords, and daemons like Secure Shell (SSH). While enabling SSH within ESXi is not recommended by me nor supported by VMware, I imagine it is enabled on a majority of installs.

This implies now that the hardening guidelines for SSH should be now used, as well as anything related directly to PAM modules, users, and passwords.

But since with SSH enabled users can login to the system, we now need to be concerned about file permissions, and inadvertent information leakage about virtual machines, and the system itself.

While ESXi is sold as an appliance and has some hardening guidelines from VMware, the Busybox ‘Console’ should also be hardened as well using standard GNU/Linux hardening guidelines specifically adjusted for ESXi.

Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.