Basically I want to run my network's firewall && gateway security on a ESXi box, but i am wondering about potential security attack on the ESXi OS level, since I suspect that network traffic has to go trough ESX first then go to my firewall (running in the VMs).
The gateway should be set like this: (Internal network & Windows Server VM /on ESXi) ---> (Firewall VM /on ESXi) ---> ESXi OS ---> Internet
What are the attack vector if we consider only ESXi and not the VMs, and is there a way to mitigate the risk, such as disabling all ESXi services on the internet NIC?
In the past has there been such security vulnerability with esx?
Thanks a lot
You wouldn't configure the internet facing NIC to have anything to do with the ESX side. The ESX console IP would be on an internal NIC on a separate vSwitch. The internet NIC should also be on its own vSwitch as well. The traffic would go through the NIC to the vm via the vSwitch itself. ESX will not touch the packet, it will come to the firewall vm itself. No esxi services will run on that NIC, so that shouldn't be an issue. Just limit which internal networks this vm has access to.
-KjB
VMware vExpert
I would say, your internet network traffic will go directly or seemlesly to your Firewall VM, the only thing ESXi will do is to route the packets , in no way it will going to open a network packet or manipulate it.
So in sort ESXi is safe if you are not putting VMkernel or VMotion network on the public internet..
You wouldn't configure the internet facing NIC to have anything to do with the ESX side. The ESX console IP would be on an internal NIC on a separate vSwitch. The internet NIC should also be on its own vSwitch as well. The traffic would go through the NIC to the vm via the vSwitch itself. ESX will not touch the packet, it will come to the firewall vm itself. No esxi services will run on that NIC, so that shouldn't be an issue. Just limit which internal networks this vm has access to.
-KjB
VMware vExpert
Hello,
Please refer to Top Virtualization Security Links ESX/ESXi Whitepapers for discussion on this topic. Specifically I would read through all these whitepapers to get a clear understanding of Virtual Networking and how it will fit into a DMZ (which is what you are discussing).
Basically you would not place your management, vmotion, IP storage, FT Logging networks on the internet or within your DMZ. I would normally hide them within a protected spot within your Production network.
Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]
I have clients that have been running this way for years. No problem found yet. Just keep the VMKernel interfaces away from the Inet and you will be fine.
/Henrik