Solved: Protecting/Securing ESXi - Page 2

rightfoot · ‎04-27-2010

I use ESXi to host a small number of public web servers. I use a 10.0.0.0/24 net for the ESXi management and guests are in a 192.168.1.0/16 net.

I constantly read about how there are new ways to attack networks, especially ones which use virtual hosts and guests. I find quite a bit of information but most of it seems to be enterprise related. What should I be doing to protect the setup other than what I have done and the usual things such as a network firewall of course and other standard server things.

In other words, are there some special things I should be doing to protect guests on ESXi or ESXi itself from remote users?

My setup is as follows.

ESXi hosts are blades on a BladeCenter chassis.

Each blade has direct FC access to storage units.

Each host runs directly off of the FC storage.

Thanks.

rightfoot · ‎05-21-2010

I must not have explained correctly :). I was saying that I can live without bonding, don't need it and can live without the redundancy, don't need that either.

What I was saying is that each NIC, dedicated to a

specific function would be most acceptable for me. I cannot get into

vlans on this network, at this time, it would involve too many changes. I

am not worried about redundancy because each server/service runs as

part of a distributed/load balanced setup. While I could put 4 NICs on

each blade, I don't need it.

So again, what I am asking, more

specifically is to achieve the following setup.

Each blade has two

NICs. NIC0 needs to be used for the guests (web servers mostly) only

while NIC1 needs to be used for ESX management only.

NIC0 is

connected to it's own firewall interface and NIC1 is also connected to

it's own firewall interface, fully separated.

rightfoot · ‎05-24-2010

Anyone? Can someone give me some insight on how to use one nic for guests and the other for esx. I cannot use vlan at the moment, it would add too much complexity.

Texiwill · ‎05-26-2010

Hello,

You already stated the issue you have, At the Chassis/pSwitch level it looks like you bonded your pNICs.... This you cannot do.

To use NIC0 for SC all you need to do within ESX is assign NIC0 to the SC vSwitch.

To use NIC1 for VM Network all you need to do within ESX is create a new vSwitch and assign NIC1 to that vSwitch.

Simple to do.

However, do not bond the ports at the chassis level or physical switch level.

2 vSwitches 1 pNIC assigned to each... that is the ESX side of things. If you have other issues with traffic look at your pSwitch setup it sounds incorrect if bonding is involved. These ports should NOT be bonded at the pSwitch.

This sounds like an IBM blade and if so, there are several good write-ups on this and how to solve the problem from IBM and others.

pSwitch<->pNIC0<->vSwitch0 (Service Console/Management Appliance)
pSwitch<->pNIC1<->vSwitch1 (VM Network)

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

rightfoot · ‎05-26-2010

I knew about the bonding so I'm not sure why I came across as not getting that. It was clear to me that if the nics were bonded, there's no way I could use them independantly. Either way, after messing around based on what you've told me, I think I have it.

I am not yet familiar with the steps needed so had to muck around quite a bit to get to this. It seems to work as expected but perhaps I am missing something so thought I would post an image of the networking tab.

Texiwill · ‎06-01-2010

Hello,

That is the correct setup from the ESXi side of things. Not sure about the hardware side however.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

rightfoot · ‎06-01-2010

Could you elaborate on that so that I'm not missing something important.

Everything seems to work as it should, eth0 is connected to the public lan side and eth1 is connected to the private lan side.

Texiwill · ‎06-02-2010

Hello

ESXi is setup properly. And if you are not having any issues then so is the hardware side of things. The diagram only shows us the ESXi side of the equation so I cannot tell how the physical side is connected/setup.

However, if it works, then you have solved your problems.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

rightfoot · ‎06-02-2010

I think I see what you mean, just that I've not shown a diagram of the network side,where things are physically connected beyond this helpful thread.

All

Protecting/Securing ESXi