Daniel Petri van de website http://www.petri.co.il/ heeft een artikel geschreven over de beveiliging van VMware ESX Server.
On a traditional server, you are only concerned with locking down the server OS. That OS could be Linux or Windows. Windows has, of course, been the favorite for security attacks so much of our time is spent securing it. So what if you put VMware ESX into this picture?
With VMware ESX being loaded on top of the server hardware, there are a few points of immediate concern:
- the VMKernel & its virtualization layer
- the VMware ESX Service console (based on Red Hat Linux Enterprise)
These two pieces are two very distinct parts of VMware ESX. VMware has periodically released patches for both of these different components although you probably just thought of them as “ESX patches”.
Concerning #1, the VMKernel and its virtualization layer is extremely secure. The Guest machines have hardware isolation in place and it seems impossible that a guest VM could somehow compromise the security of the host virtualization layer.
As for #2, with the services console being based on Linux, it will be affected by most of the Red Hat Linux vulnerabilities. Because the service console is a Linux OS with a direct link to the VMKernel, I will focus on securing the service console.
But first, what many admin’s forget about once they have virtualization software in place, is the underlying virtual guest operating systems. Because it is so easy to add a new server (in just seconds), it is easy to forget to add those servers to your patch distribution system (like SMS or WSUS), add anti-virus software, install the latest service packs, and or tweak security settings. In my opinion, the insecurity of those underlying virtual guest operating systems is the single largest source of concern for the security of your ESX servers. Fortunately, because ESX separates the guests from the host, if a guest is compromised it is unlikely it could affect the host except to perhaps take up more network bandwidth or server resources. My point being, don’t forget to secure your underlying Windows and Linux virtual guest operating systems!
With that, let’s get to securing your ESX Server service console…
Lees de rest van het artikel hier: http://www.petri.co.il/secure-vmware-esx-server.htm