Esxi USB on DMZ

VMWF · ‎12-26-2008

Hi,

I am planning to run ESXi on USB stick plugged-into HP Blade Server which is sitting on DMZ. This means Network Management IP address will be a public IP address. I would like to know what would be the best practice to secure this environment? As Network Management IP address is a public IP address, anyone may go to the IP address from their browser, download Vmware Infrastructure Client(VIC) and attack to get the username/password. Once in, they will be able to manage all VM's inside.

I would like to know how did you secure this in your implementations?

Thank you

VMWF

O_o · ‎12-26-2008

Do you have only 1 network interface available for this Blade ? If not then why not connect the management interface to the internal network (or any other more secure network) and create a separate vSwitch connected to the DMZ. Make sure there is no communication possible between the vSwitch that is connected to the management part and the DMZ part.

In theory (or is it in practice) it's still not possible to get from one vSwitch to another if they are not connected (his means using seperate NICs for each vSwitch).

You can also use VLANs on you switches, but I'm thinking this is a bit more secure and maybe even easier to manage.

If you must have access between your management network and the DMZ for whatever reason, create a third switch and connect a firewall on it which is then connected to the other vSwitches (or build a VM with ISA server on it) this way you can control whatever goes in and out between the DMZ and the management network.

Hope this is somewhat clear ... Still have some egg nog buzzing in my head :smileygrin:

weinstein5 · ‎12-26-2008

As the other poster pointed out if you have multiple NIC ports is yo place one of these on the internal network and then use the others for the DMZ -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

VMWF · ‎12-26-2008

There are 2 Network Interfaces. One is DMZ and the other one is for HP ILO(for mamagement-private).

I have seen both your suggestions/recommendations require additional NIC cards but without this, isn't there any other way around to secure it?

As mentioned above, having ESXi Network Management IP on public internet will cause some security risk, but is it possible to lock it down;

- like disabling port 80 on this IP ?

-like restrictinging the communication by addding the client IP which will have VIC installed just to communicate to ESXi Network Management so not every machine who have access to ESXi Network Management IP and VIC installed will have access ?

- like generating alerts if someone tries several login attempts to ESXi Network Management IP ?

Thank you

weinstein5 · ‎12-26-2008

The only way I would see doing this is creating a VM that will act as a firewall with VPN client that will connect to an internal vSwitch that has your vmkernel management port and the DMZ and use the VPN client ot connect to the management port - Also I thought the iLO used its own IP port and did not rely on the NIC cards to be used by the server -=

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

VMWF · ‎12-30-2008

If I close port 80 on ESX Management Port on the firewall, it will not be accessable from outside.

Also If I allow only specific hosts(only internal) on the firewall reach to ESX Management Port via port 902, it will only allow internal machines reach to ESX management port via Vmware Infrastructure Client. Would that be a safe scenerio? or am I missing some security risks?

Thank you

All

Esxi USB on DMZ