Security hardening for VMWare ESX Server 3.x - Part 1

With the proliferation of virtaulization in the enterprise one of the questions that is on most administrators minds is; how secure is my virtual environment?

VMWare's ESX Server has a built in firewall and the virtual switching prevents systems from communicating across VLAN boundaries but what about the ESX server itself or the VMWare tools application that is inevitability installed within each guest OS. We could take the approach that the ESX server is hardened out of the box and that nothing more is required to secure our virtual environment however that assumption would leave the virtual infrastructure subject to various attacks that could impact a wide range of network services.

There are several security layers to consider when examining the virtual infrastructure. The first being the ESX host itself and this begins with the installation process which makes recommendations regarding the partitioning of the local disk. Typically this will include a 100MB boot, a 100MB vmkcore, a 4GB root, a 2GB /var/log, and a swap partition of approximately 2 times the service console memory which is by default 272MB. The remainder will most likely be allocated to the local VMFS volume. Depending on the size of the local disk you may choose to make the root partition larger than the default. For example if the server has two 72GB disks mirrored then I would typically create a root partition of 20GB, if the server has two 146GB disks then I would create a root partition of 40GB.

Generally, I tend to copy the iso files for any distributions that I might need to the /vmimages/tools-isoimages folder on the server. This works fine if there are only a few servers but if the infrastructure consists of 5 or more servers then you might consider an NFS share for the iso files. As for the swap partition and the /var/log I would recommend making them 1.6GB and 4GB respectively. This allows you to increase the service console memory to the maximum of 800MB and then have a swap partition to support the allocated memory. By increasing the /var/log partition to 4GB this mitigates the risk of filling with log files as the result of a DOS attack, although there are additional parameters that will be discussed later that will also help to mitigate the risk.

With respect to the security of your virtual infrastructure starting off on the right track can certainly help protect your environment and provide you with the foundation necessary to mitigate any security risks that might arise in the future.

The next part of this article will include modification tips for the service console to make it more secure.