Solved: VPXD - Supported SSL Ciphers

Ozric · ‎12-06-2007

Hi All,

We're in the process of auditing the security of our environment and have found that the "VMware Virtual Center Server" service (TCP/443) supports a number of weak SSL ciphers (<128bit) does anyone know if we can modifiy the supported cipher suite? We've modified the Windows SChannel registry keys but that doesn't seem to do the trick. Any help appreciated.

Rgds Phil

Texiwill · ‎12-06-2007

Hello,

This would take changing the ciphers on VC, within the VIC, and most likely on the ESX Servers. They should be beefed up but may take a development effort. I suggest making a feature request to VMware to add more ciphers and to let the administrators pick the cipher to use.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Texiwill · ‎12-06-2007

Hello,

This would take changing the ciphers on VC, within the VIC, and most likely on the ESX Servers. They should be beefed up but may take a development effort. I suggest making a feature request to VMware to add more ciphers and to let the administrators pick the cipher to use.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

Ozric · ‎12-06-2007

Shame about this weakness, but thank you for the speedy response.

Rgds Phil

DenITSysadmins · ‎12-06-2007

We are running into the same issue after Nessus scans identified our ESX 3.2 hosts as supporting weak SSL ciphers. VMWare states that they are working on a way to disable SSLv2 entirely but there are still weak ciphers used by SSLv3. Anyone know of any additional info on this? Thanks.

kirkdude · ‎12-06-2007

Hi,

The real trick here is to have two networks, one for the service console, and one for the outside world. This is not a standard OS box. Regular security scans/tests/programs fail to understand what ESX is, or how it should be used.

Running things like Nessus, Foundstone scanners, and the like are almost silly. They can scan the service console, yes. But they know nothing about the virtualization layer, or ESX's networking.

If you have vulnerabilities on an internal network, or an administrator only network, what is the problem? Don't get me wrong, I do think that weak ciphers shouldn't be used (defense in depth). But to get you thinking...

ESX's networking is quite good at isolation, this protects you from a whole host of problems. No OS is like this. So don't treat ESX like a OS.

Any networking scan that you do on the service console, or any networking service does not need to be exposed to the outside world or the VM network.

Keep the two worlds separate. Control the administrator network, then life is good.

Ozric · ‎12-07-2007

Hi Kirkdude,

Thanks for the reply, I agree with separation of the service console interface indeed that is how we have implemented ESX into our infrastructure however it's being connected to an environment where security is paramount and subject to 3rd party penetration testing (both internal and external). These guys see things in black and white i.e. if a network device presents an attack surface they will try to exploit it, and in this case expose the use of weak ciphers. I'm not sure I want to start a discussion on virtual networking as I'm trying to get this project finished :smileyblush: suffice to say I agree that ESX is good, in fact I'm a big fan of ESX (there, I said it!)

Bottom line in my world is that remediation is better than mitigation.

Texiwill · ‎12-07-2007

Hello,

ESX was ALWAYS designed so that the SC and pretty much any network be placed behind an appropriately controlled firewall. That being said, ESX's Service COnsole, vMotion, and Storage networks should be buried in the bowels of the network behind so many firewalls to make hacking from an external source nearly impossible. BUT that being said, I have seen the SC in the DMZ, vMotion on the internal public networks, and worse. Remember that 70% of all hacks come from INSIDE not OUTSIDE. This means that the people working with you are your main concern. Let the bastion security admins worry about the firewalls, you should worry about everyone else, and using weak ciphers is just bad.

I am working on several research avenues regarding the security of ESX. All I can say at this time is that you need to be vigilant! ESX is not as secure as people like to think it is. There are some weaknesses that basic network security and general security can alleviate. I am working on some blogs on the subject, just slow in coming.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill