VMware Appliance is Convenient, But Don’t Assume It’s Secure

Despite its leadership in thevirtual server market,VMware has been aware of and preparing for the threat of competition from Microsoft’s Hyper-V hypervisor for long enough to roll out not only strategies, but actual products.

One of these is ESXi, a cut-down form of the VMware ESX server designed to be embedded on servers and sold as a pre-installed and virtual-machine-ready. Dell, HP, and IBM all sell hardware with ESXi embedded.

That makes the installation more convenient. But unfortunately it doesn’t do much about the security of the appliance.

ESXi is part of the larger virtual infrastructure and should be secured just like any other component. Security guidelines from the federal Defense Information Security Agency and VMware’s own Hardening Guidelines start the discussion on this, but it is not sufficient. Securing ESXi includes securing all things that touch it.

This implies securing storage, management tools, networks, operations, virtual machines and everything else connected to the virtual infrastructure. Everything that is part of the virtual infrastructure touches on the virtualization server.

Is ESXi more secure than VMware ESX? Yes and no.

They both boot the same way, or nearly so. The difference is that instead of booting a management appliance virtual machine that contains GNU/Linux, ESXi boots a management appliance virtual machine that contains a Posix environment called Busybox.

ESXi cannot be treated as an appliance. Any exploit found should be addressed by VMware and by any vendor implementing ESXi. Just as there are exploits for every other operating system, there are ones for ESXi and for Busybox.

Like VMware ESX, security patches for VMware ESXi should also come direct from VMware. All you can do is remediate some aspects by implementing better total Virtual Infrastructure Security.

ESXi contains the same VMware daemons that VMware ESX contains including webAccess—which is subject to a fairly well known SSL MiTM attack; vulnerability to that attack exists within ESXi as well as in ESX. Use of webAccess should therefor be restricted to an administrative network.

There are more and more third-party tools becoming available to manage both ESX and ESXi. These also need to be coded properly to use the VMware SDK, which is over VMware webAccess.

In this way VMware ESXi is no different than VMware ESX. Security of ESXi depends on the security of the virtual infrastructure, not the other way around. Use of ESXi might be more convenient in some cases, but be sure not to assume having vendors pre-install it on their hardware means the appliance is secure.