My first question would be "Why do you have two service console ports?"

Jason

Hello,

In your configuration each vswitch has a service console or vswif device connected to it. You therefore have within your system a vswif0 and vswif1. Each vswif device has a separate IP address and therefore network. All the services within the Service Console allow connections on ANY vswif device. This is not a security issue per say but a misunderstanding on how it all works.

The iptables rules block INPUT and OUTPUT paths based on source and target ports for ALL vswif devices. If there are more than one then the rules apply to all vswifs not just the first one. This is why you can connect to the Service Console services over either IP address.

For example:

On of the rules is to accept all incoming traffic of state NEW on port 902. The vswif device is not mentioned in this rule and therefore the rule applies to ALL network INPUTs into the system. There is no forwarding between vswif0 and vswif1.

If you want to as you say sandbox SNMP traffic to vswif1 you will have to modify the firewall by hand to enforce this. In general the only use for the 2nd vswif device I have seen so far is for a backup network not for redundant management networks. That is handled within the vSwitch itself using failover mode settings.

If you only have 2 pNICs, then you will want to use VLANs to segment traffic and ensure no portgroup allows promiscuous mode ethernet devices. As well as making 1 pNIC the primary and the second one the failover within a single vSwitch. I also manage to put my SC on an Administrative network that is itself firewalled and access to it is limited.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education.

Message was edited by: Texiwill

Hello,

There is no internal documentation on this, it is the nature of the iptables rules that are in place. Every time you create a service console portgroup on a vSwitch you are not creating a new service console, but tying into the existing service console. The existing service console protects all input and output devices using iptables. A good iptables reference is: "LINUX iptables Pocket Reference" from O'Reilly and Associates. Also, you can look at www.netfilter.org.

Since there is only one instance of a service console, all you are doing by providing more than one Service Console port group is making more ethernet interfaces on the service consoles, these are the vswif devices.

You have not really found a bug in ESX, but the fact that there are 1001 ways to do networking with LINUX. Consider this, would you rather have a specific rule that says everything allowed on vswif0 and that vswif1 is absolutely wide open? If they were to implement interface level blocking on the default iptables rules, that is generally what results. Or would you like absolutely nothing on vswif1? THat is the other option. Note that the VIC and esxcfg-firewall commands do not know anything about the devices in use only the rules to be used. This is a General setup that meets most peoples needs.

So, for iptables you have 3 default chains on the primary table. Those chains are INPUT, FORWARD, and OUTPUT. INPUT covers everything coming in, FORWARD is for forwarding between interfaces and OUTPUT is for anything going out. There is also a nat, mangle, and some other tables. None of these are used by ESX and should not be used by ESX. For INPUT, the general rules are written like:

iptables -A INPUT  -p  with the state argument and the --state argument of NEW. This is matching on the state of a new connection only.

iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 902 -j ACCEPT

You can also have a sourcePort in use, a sourceAddr, destinationAddress, and a host of other elements at work including which interface upon which this rule applies. The interface lock down is NOT part of the ESX firewall rules, nor should it be as any vswif should be able to use all its services. If you want to change this then you will need to play with the firewall rules.

IPtables is extremely complex and incredibly powerful. To fully understand it you will need to do some reading of the manual page, a reference and play with it.

In addition there is only one default gateway. THere can not be more than one default gateway, however, it is trivially easy to add a gateway that is specific to a given subnet if you are using more than one vswif device. There is no cross routing between vswif0 and vswif1 if you look at your network routes (netstat -rn) you will see the default route plus a node specific route for your vswif1 device. Anything coming in on vswif1 will go back out vswif1.

As for your comment about it ties the vswitch portgroup to the Service Console, you are absolutely correct. If you are not using VLANs the traffic is not segmented. If you are allowing promiscuous mode ethernet devices on your vswitch then things are even worse. Virtual Networking has some basic rules to follow and you are crossing some of them.

1) vMotion should be its own private vSwitch or portgroup

2) Service Console should be its own private vSwitch or portgroup. This includes all possible service consoles ports, not just the primary (use VLANS to segment networks on the SC vSwitch). This is your Administrative network which should also be firewalled. VC is on this network. As is any management tool whether running as a VM or otherwise.

3) Virtual Machines should be their own private vSwitch or portgroups

4) Each should have redundancy (2 pNICS per vSwitch)

5) VLANs should be used when dealing with reduced number of ports

6) vMotion should be its own private network including routing if you are to doing this. Only ESX vMotion ports should be allowed on this network.

7) iSCSI requires that a service console vswif participate in its network, yet iSCSI for VMFS should be separated from the VM network.

8) NFS should be separate from the VM Network.

9) Never enable promiscous mode on your vswitches but you can for specific portgroups that only contain your IDS... No other VM should be in this portgroup.

10) Using VLANs will lower the amount of pNIC you require.

Ideally I like having a minimum of SIX physical network adapters so that I have everything segmented nicely even if I do use VLANs as well. This way I gain redundancy and functionality.

You have not found anything that is a problem with ESX, you have found that there are 1001 ways to do networking within LINUX and that some are better than others.  Also you have found that generic firewalls like what ESX uses is only useful in generic cases, you have a SPECIFIC need and will have to adjust things to meet that SPECIFIC need. The iptables firewall is only part of the answer, you can also use /etc/hosts.allow and /etc/hosts.deny to implement tcpwrappers, or implement tcpwrappers in /etc/xinetd.conf; these are just some of the ways to limit access based on IP and or network and are a 2nd line of defense for all LINUX machines. Changing the default ESX security rules are not for the faint of heart, you can really mess things up extremely easily. Nor do I expect most people to do so, however, if they do not understand how the rules work, then they could easily mess up.

One thing you can do is to deny access to anything on vswif1 using the following in /etc/rc.d/rc.local

/sbin/iptables -I INPUT 1 -i vswif1 -j DROP

Which would insert this rule at the top of the chain denying all access to vswif1 from outside. Adding in specific rules requires even more tweaking and you need to really understand firewalls to do this plus iptables.

Then to allow port 902 or anything to come back in on vswif1 that you specifically start you can use:

/sbin/iptables -I INPUT 1 -i vswif1 -m state --state NEW -p tcp -m tcp --dport 902 -j ACCEPT

/sbin/iptables -I INPUT 1 -i vswif1 -m state --state ESTABLISHED,RELATED -j ACCEPT

You must use the 3 lines in the order given to get only port 902 and what you have started to go out vswif1.

If anyone does not understand these concepts or know how to implement them, then I suggest taking a LINUX Security Class, There is a very good version of this presented at each Linux World as well as the one SANS puts on. Also my upcoming book has a chapter just on security and how to implement some of the concepts I discussed. The last option is to hire a consultant that does understand these concepts.

How ESX 3i changes these above, I am unsure as I have yet to play with ESX 3i. I imagine it will to a certain extent but hopefully not very much. A firewall for the CLI is extremely important.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education.

Hello,

Sorry for jumping the queue.  Do you have the online version of your book available?

Not a problem. See my signature for a link to the online versions.

1) VLANs should be used when dealing with reduced number of ports

While it is possible to see all VLAN traffic on a vSwitch if  Promiscuous mode is enabled (not the default) VLANs without promiscous mode will split the traffic in a secure method. Normally for full redundancy, performance, and security you would want 2 pNICs per Network. Of which the default ESX server in a cluster has 3... Service Console, vMotion, and VM Network. When you add in SAN, you use FC-HBAs which have their own security mechanisms, when you add in iSCSI it is another network (whether they are 1 Gbe devices or iSCSI-HBAs), add NFS and you have one more network. VM Networks can be split a number of ways. Since a 4 pNIC system (common blade) does not have 10 pNICS (assuming everything is enabled included iSCSI/NFS) you have to make some choices on what you will place within a VLAN to segment your traffic.

If you do not segment your traffic it is possible for vMotion, Administration traffic to be seen by the VMs for example. So the use of VLANs in low port density situations affords some level of protection. There are some MITM attacks that are possible even without promiscous mode network adapters. This is not necessarily a problem in ESX as much as it is a common network issue. The attacks work even outside ESX.

2) iSCSI requires that a service console vswif participate in its network, yet iSCSI for VMFS should be separated from the VM network.

does service console need to be used more than once?

Let us look at some networks and netmasks.... If the SC has the following:  10.0.0.18/255.255.0.0 if can participate in a Class B network. Assume the switching allows this. If I had two iSCSI networks (10.0.1.18/255.255.255.0 and 10.0.2.18/255.255.255.0) then the SC would participate in both with no need for a secondary SC port. However if the SC did not participate in a full class B but a class C then I would need to have an SC port for both the 10.0.1.18/24 and 10.0.2.18/24 networks. Which could be different from the 10.0.0.18/24 network used for administration. In this last case I would need 3 SC links.... So you really have 3 situations:

• Default SC participates in all iSCSI networks.... use a broad enough netmask.

• Default SC participates in one iSCSI network, 2nd SC participates in second iSCSI network with restrictive netmasks.

• Default SC participates in Administrative network, 2nd SC participates in one iSCSI network, 3rd SC participates in second iSCSI network with restrictive netmasks.

This all depends on your network situation. Now since the only use of the SC on the iSCSI network is the authentication aspect of the iSCSI protocol you can possibly limit this links to just a single pNIC and not duals. This link is required whether you use authentication or not actually, so you can not get rid of it but you can reduce the number of ports for it pretty safely (not 100% redundant but doable)

3) FS should be separate from the VM Network

The VM network is a hostile environment, it should be separate from anything that relates to Administration, Storage, vMotion, etc. used by the ESX server. If your VMs will use iSCSI initiators or NFS mounts, then I would do that through a totally different network. I would not want the VMs to get a hold of the base VMDKs, etc.

4) Using VLANs will lower the amount of pNIC you require.

Could you please explain how?

VLANs allow you to run multiple networks over the same wire using tags in the IP headers to say what VLAN/network the packets belong to assure deliver to the properly participating machine. This is the 802.1q Standard (http://en.wikipedia.org/wiki/IEEE_802.1Q). If you want more details I suggest reviewing the standard as it explains everything in great detail. Because of this, you can use less pNIC in some cases.

This is all predicated upon how much security you really want, can afford, and must do. I like to setup physical barriers so that I can keep all Administrative and ESX internal networks apart from each other and the relatively hostile environment of the VMs.

Why do I say this is a hostile environment? Consider that these VMs are in the DMZ or customer facing whether internal or external customers... You can never know what is happening on these systems and there are some invisible root kits for various flavors of Operating Systems. I just consider all VMs to be hostile, so that I secure my systems properly. As a virtualization administrator I look at anything I do not control directly or allows Users to connect to be hostile.

May I use your questions in a blog post I am working on? They are good ones.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

It all comes down to how comfortable you are with the setup.

In my environment I have:

2pnics teamed and being utilized by the SC and Vmotion with both being on the same VLAN.

2pnics teamed and configured as a VLAN trunk hosting all VM VLANs.

1pnic for backup network 1

1pnic for backup network 2

1pnic configured for iSCSI with the initator being installed within the VM's not on the SC.

Jason

biniam wrote:

2pnics teamed and being utilized by the SC and Vmotion with both >being on the same VLAN.

There are a lot of discussion on security issue.  Do see any disadvantage on using both on the same network?

In our environment I do not see any issues with having both the SC and VMotion on the same network.

1pnic for backup network 1

1pnic for backup network 2

what do i you mean by network 1 and 2?

We are hosting VM's for two different clients and each client has their own backup environment.  VM's belonging to a specific client is connected to their own backup network and the VM production network.  If both backup networks were routable I would have designed it so that both backup networks were using the same pnics but different VLANs.

1pnic configured for iSCSI with the initator being installed within the >VM's no

I guess you have hardware Initiator or FC to do this?

There are no hardware initiators.  The iSCSI is connected to a switch which is connected to each Esx host.  The VM's that are attached to the iSCSI each have two vnics.  One vnic is attached to the production network and the other vnic is attached to the iSCSI network.

Jason

biniam wrote:

The last comment; you are getting iSCSI working in the guest, so using the windows initiator to connect to a lun.  But your are using Vmware iscsi for os.

Regards

Biniam

We are not using iSCSI for the OS.  The OS is on a fiber storage.  We are using the iSCSI as second tier storage for e-mail archives.

From what I understand by talking to iSCSI venders, if you are using iSCSI as your primary storage you should be using VMware iSCSI for the os and then use the Windows initiator to connect to each LUN.

Jason