VMware Cloud Community
xcimo
Contributor
Contributor
‎05-28-2009 05:49 AM
Jump to solution

ESXi Security (is it secure enough to sit directly on the internet?)

Basically I want to run my network's firewall && gateway security on a ESXi box, but i am wondering about potential security attack on the ESXi OS level, since I suspect that network traffic has to go trough ESX first then go to my firewall (running in the VMs).

The gateway should be set like this: (Internal network & Windows Server VM /on ESXi) ---> (Firewall VM /on ESXi) ---> ESXi OS ---> Internet

What are the attack vector if we consider only ESXi and not the VMs, and is there a way to mitigate the risk, such as disabling all ESXi services on the internet NIC?

In the past has there been such security vulnerability with esx?

Thanks a lot Smiley Happy

0 Kudos
1 Solution

Accepted Solutions
kjb007
Immortal
Immortal
‎05-28-2009 07:23 AM
Jump to solution

You wouldn't configure the internet facing NIC to have anything to do with the ESX side. The ESX console IP would be on an internal NIC on a separate vSwitch. The internet NIC should also be on its own vSwitch as well. The traffic would go through the NIC to the vm via the vSwitch itself. ESX will not touch the packet, it will come to the firewall vm itself. No esxi services will run on that NIC, so that shouldn't be an issue. Just limit which internal networks this vm has access to.

-KjB

VMware vExpert

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB

View solution in original post

0 Kudos
4 Replies
jjpatel
Enthusiast
Enthusiast
‎05-28-2009 06:51 AM
Jump to solution

I would say, your internet network traffic will go directly or seemlesly to your Firewall VM, the only thing ESXi will do is to route the packets , in no way it will going to open a network packet or manipulate it.

So in sort ESXi is safe if you are not putting VMkernel or VMotion network on the public internet..

kjb007
Immortal
Immortal
‎05-28-2009 07:23 AM
Jump to solution

You wouldn't configure the internet facing NIC to have anything to do with the ESX side. The ESX console IP would be on an internal NIC on a separate vSwitch. The internet NIC should also be on its own vSwitch as well. The traffic would go through the NIC to the vm via the vSwitch itself. ESX will not touch the packet, it will come to the firewall vm itself. No esxi services will run on that NIC, so that shouldn't be an issue. Just limit which internal networks this vm has access to.

-KjB

VMware vExpert

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
Texiwill
Leadership
Leadership
‎05-28-2009 08:31 AM
Jump to solution

Hello,

Please refer to Top Virtualization Security Links ESX/ESXi Whitepapers for discussion on this topic. Specifically I would read through all these whitepapers to get a clear understanding of Virtual Networking and how it will fit into a DMZ (which is what you are discussing).

Basically you would not place your management, vmotion, IP storage, FT Logging networks on the internet or within your DMZ. I would normally hide them within a protected spot within your Production network.


Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
HenrikElm
Contributor
Contributor
‎06-01-2009 07:58 AM
Jump to solution

I have clients that have been running this way for years. No problem found yet. Just keep the VMKernel interfaces away from the Inet and you will be fine.

/Henrik

0 Kudos