VMware Cloud Community
gregchait
Enthusiast
Enthusiast
‎11-03-2010 08:27 AM

vSphere Management Assistant (vMA) Security Concerns?

I have worked with vMA before, configuring it and running some scripts from it in an ESXi vSphere environment. My question surrounds the security of the appliance. If VMware stripped out all the executables from the service console, what is the security risk of introducing the vMA appliance into a vSphere infrastructure?

How is a vSphere ESXi environment with vMA more secure than an ESX environment?

Thanks

Greg C.

Tags (4)
0 Kudos
2 Replies
lamw
Community Manager
Community Manager
‎11-03-2010 09:15 AM

The reason behind the statements you've heard from VMware is that the attack footprint on the hypervisor is decreased with the removal of the Service Console for the classic ESX host compared to ESXi. If you look at the set of security patches released for ESX, a good portion of them apply to RHEL based Service Console fixing variety vulnerabilities. By removing this COS (Console Operating System), we minimize the attack footprint on the vmkernel which is supposed to be more secure. Now, having said all that, there is still a minimal console called Tech Support Mode which is running Busybox and you still have the ability for SSH access. You just don't have a full fledge console like Service Console, but majority of the VMware management tools/utilities are still there.

vMA is basically a CentOS/RHEL based virtual appliance created by VMware, similar in nature to the Service Console but it utilizes the vSphere CLI (vCLI) and vSphere APIs to communicate and manage/configure your VMware infrastructure including both ESX(i) and vCenter. This provides centralized management of your ESX(i) host and you can leverage various authentication mechanism including Active Directory.

Depending on how secure your environment is, vMA may or may not be as secure as VMware claims. There have been few individuals who have posted security scans from their InfoSec teams where there are still vulnerabilities found within the OS, not the vSphere management layer but within the guest as it's still a CentOS/RHEL based system. You may need to perform additional hardening on the system itself as you would with other OSes to fully secure the system. vMA is secure as you make it. You'll definitely want to ensure you isolate this management appliance from your normal VMs, it's part of your infrastructure management so you should secure it as such.

Hopefully this gives you better idea of what vMA is and how it differs from Service Console as we transition from ESX to ESXi

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware VCP3,4

VMware VCAP4-DCA

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

0 Kudos
Chamon
Commander
Commander
‎11-03-2010 09:18 AM

I haven’t used the vMA yet. However I believe it is built from a CentOS based VM. You would need to begin there to lock it down. DISA has a STIG for locking down UNIX machines that you could use to secure your vMA VM. There is an updated one located here http://iase.disa.mil/stigs/checklist/ . It appears that this was updated last month.

With ESX you would need to lock down every ESX host but with the mix of ESXi and one vMA you would only need to lockdown the one vMA. There are still a number of security considerations in ESXi but they are far fewer then with the ESX hosts. Have you looked at the vSphere security guide? It can be found here http://communities.vmware.com/docs/DOC-12306

If you have specific security questions the forums are a good place to ask.

0 Kudos