Secure ESXi, vCenter Server, and vSphere Virtual Machines

Harden virtual machine access

VMware tools enable greater interaction between ESXi host and the virtual machine. VMware tool is mandatory for several VMware features to function. VMware recommends to restrict VMware tools installation access to only users who would need it. It is controlled by a privilege.

  • Virtual machine.Interaction.VMware Tools install

This privilege allows mounting and un-mounting the VMware Tools CD installer as a CD-ROM for the guest operating system. And this is on the Virtual Machine object.

It is also a good idea to restrict virtual machine data access. Note that data access means, the ability to cut/copy, paste data into and from virtual machine console. The administrator may also want to consider removing unwanted/unused virtual hardware of virtual machines. Doing this will eliminate some of the options available for hacker to compromise the systems. A virtual machine must be considered as a separate entity and its relevant security policies must be applied. To further harden the security of a virtual machine the following actions can be carried out,

  • Patching the guest OS with latest security releases and run any anti-spyware or anti-malware software programs. It’s a good practice to follow the suggestions made by the guest operating system vendor.
  • Disabling unnecessary services running in guest OS.
  • Making the virtual machine deployment process streamlined by using templates and scripts.
  • Disable HGFS file transfers.
  • Prevent Virtual Machines from taking over resources by defining required CPU and Memory and to set correct shared value. It is also a good practice to move the virtual machines into a resource pool.
  • Limit informational machine from virtual machine to the VMX file to avoid filling up the datastore. This would prevent a Denial Of Service (DoS).

Harden a virtual machine against Denial-of-Service attacks

Preventing Denial-of-Service of a VM requires good network planning and the settings in virtual switch and physical switch need to be configured properly to withstand Denial-Of-Service attacks.

Control VM-VM communications

Different virtual machines within a host can be configured to use different network segments. When virtual machines are isolated in its own segment, data leakage from one virtual machine to another is minimized. This technique (Segmentation), prevents ARP spoofing (man in the middle attacks), Denial-of-Service (DoS) attack, hijack the target system etc. There are two approaches to implement segmentation,

  • Use separate physical network adapters for virtual machine zones to ensure that the zones are isolated. Maintaining separate physical network adapters for virtual machine zones is probably the most secure method and is less prone to misconfiguration after the initial segment creation.
  • Set up virtual local area networks (VLANs) to help safeguard your network. Because VLANs provide almost all of the security benefits inherent in implementing physically separate networks without the hardware overhead, they offer a viable solution that can save you the cost of deploying and maintaining additional devices, cabling, and so forth

Control VM data access

Although the VM-VM is secured by segmentation, it is connecting to the physical network; the physical network is prone to breaches. Therefore the protected VM can be a victim of attacks from other compromised physical servers or virtual machines in the network. Therefore overall network must be monitored for threats and breaches. Network must be carefully planned to avoid such breaches. Also using security software to monitor network and conducting security checks in network can significantly reduce the risk of getting breached.

Configure network security policies

Just like a physical network adapter the virtual machine virtual network adapter can send packets that may appear like it is sent from a different machine. This is because; it lets the impersonating VM to receive packets that are intended for that VM. This poses a serious security threat. If an attacker takes control of a VM, the attacker can use it to listen to packets with valuable information.

When a standard switch is created on a ESXi host, appropriate security policies can be configured on virtual machine port group as well as VMkernel port group that carries system traffic such as management, vMotion etc,

Please note that, the security policies that we are defining at the port group level is a feature offered by hypervisor and not of the operating system running in the virtual machine. Once configured the ESXi hypervisor will then prevent the VM network adapters from doing such unnatural behavior. Another interesting things to note is, once enabled the guest operating system will not that its impersonation attempt is prevented.

Securing vSphere Standard Switches

Before making any attempt to secure the vSphere standard switch we must understand how it handles traffic during various conditions. We all know that MAC address is a very important and unique identifier used to identify source or destination. In vSphere when you create a virtual machine with one or more virtual network adapter, vCenter (in case of the host is managed by vCenter) or the ESXi host will assign a MAC address to the virtual NIC. There are three types of MAC address; let’s discuss the types and when it is assigned,

Initial MAC Address

It is the initial MAC address that gets assigned to a vNIC during the creation of virtual machine or while adding the vNIC to an existing VM. You can let the ESXi or the vCenter to decide what the MAC address can be or you can also manually input the desired. You can relate this to a physical NIC burned in address.

Effective MAC Address

The effective MAC address is set by the guest operating system. Usually the OS will use Initial MAC address as its effective MAC address. Some application may need the MAC address to be different and this option enables to just do that.

Runtime MAC address

Runtime MAC address is the actual (live) MAC address seen by standard switch port.

The following security options help us to prevent/allow communication from guest VM under certain pre-defined conditions. There are three security policies,

  • MAC address change
  • Forged transmits
  • Promiscuous mode

There are two options for these policies, Accept or Reject. Each option has its own policy. To change these values you can select the ESXi host from the inventory, click Manage and then Networking. Under virtual switches select the appropriate switch and then click the edit icon. In the new window select security. The same options are available at port group level as well. The port group level policy supersedes the ones set at vSwitch level. Following picture shows the options,

Figure 11: Security settings of a vSwitch
Figure 1: Security settings of a vSwitch
MAC Address Change

By default the option is set to “Accept”. When it is set to accept, ESXi will allow the request from operating system to change the effective MAC address to a different address than the initial MAC address. When it is set to “Reject” as you have guessed it, the opposite happens. The OS will not be allowed to change the effective MAC address.

MAC spoofing (MAC impersonation) is a common tactic used by hackers to change the effective MAC of a VM to impersonate another VM or to gain stealth by changing MAC to a random value. If this option is set to reject, ESXi will disable the port when it receives such request to change. The guest OS will not be aware that the request to change was rejected.

 Forged Transmits

The default option is “Accept”. When it is set to accept ESXi does not compare the source and effective MAC addresses and the frame is allowed. When set to reject, ESXi will compare the source and effective MAC address. If they are not same then ESXi will drop packer. To protect VM against MAC impersonation, this option can be set to reject.

Promiscuous mode

The default option is “Reject”. When set to reject, the guest OS cannot receive packets destined for other VM’s using its adapter. When it is set to accept, guest OS typically the tools running in guest OS; can see the packets which are intended for other VMs.

This option is very useful in case of using a network intrusion software or software like Wire Shark in the VM to monitor network traffic. At the same time, a person with bad intentions can snoop the network.

Harden ESXi Hosts

When an ESXi host is installed and initialized for the first time, ports are disabled by default and can only the required are open. These firewall ports that we are talking about is port used for SSH access, SNMP, vSphere web access etc. The ports can be enabled and disabled when needed and also can be configured to start and stop with host.

These setting can be viewed and changed in vSphere web client, ESXCLI and also via Power CLI.

Enable/Configure/Disable services in the ESXi firewall

ESXi firewall setting can be accessed via vSphere web client. Following is the procedure,

  1. Click the host in the inventory
  2. Then click manage tab and then settings tab under that
  3. Now click security profile under system

You can see a number of incoming and outgoing ports. You can click “Edit” to modify each connection setting. Only some of the connections can be edited/modified here. Following figure shows the same,

Figure 12: Edit security profile
Figure 2: Edit security profile

You can observer the options start, stop, restart and startup policy. The startup policy is a pretty straight forward option. When this is set to start and stop with host the port will start and stop along with host. Also note the option to allow connection from a specific IP address can be defined here.

To further harden ESXi security; shrink the incoming and outgoing connections option, then you will be able to see all services. Each of the services can be individually set to start and stop with host or manual start and stop. Following image illustrates the services list and its various options,

Figure 13: Start and Stop services
Figure 3: Start and Stop services

Lockdown mode can be enabled to prevent all remote users logging into ESXi host via SSH and other methods. When enabled, the host can be only accessed in vCenter Server and the console (DCUI) will be accessible. Some of the user can be exempted from lock down mode. Those users will be able to access the host remotely. To access lockdown mode, scroll down while on the security profile and the option can be found at the bottom after services.

Figure 4: Lockdown mode options

When set to Normal, the host can be accessed using vCenter as well as DCUI. But if the option is set to strict DCUI is also disabled and the host is managed only via vCenter server. To add uses to the exception list the next option can be used.

Apply permissions to ESXi host using host profiles

From a properly configured host (a reference host) its configuration information is extracted and kept in a profile. This template is called “host profile”. Later on this profile can be used to apply the configuration that is contained in it to a single host or a cluster. When applied on a cluster, all hosts participating in the cluster will have same configuration.

In vSphere web client host profile option can be found in the Home page under Monitoring. When you click that option you will be presented with the following screen. Click the green + icon to extract profile from a reference host.

Figure 15: Extract host profile
Figure 5: Extract host profile
Extract host profile

Select the reference host from the list and then click next. Give a name and then click next, review summary and click finish.

Figure 16: Extract profile from a host
Figure 6: Extract profile from a host

To the created profile you can then attach a host or cluster. It is also possible to check the compliance of host attached to the profile. Right click on the host profile to explore more options.

Harden vCenter Server

In the previous chapters we discussed how to harden virtual machines and ESXi hosts. This chapter we discuss some of the options available to harden the vCenter server.

Control datastore browser access

In order to control what one can do on a datastore browser it’s time to revisit “privileges”. Datastore.Low level file operations privilege can be enabled or disabled to allow/disallow a user to perform read, write, delete, and rename operations in the datastore browser.

Figure 17: Control datastore browser access
Figure 7: Control datastore browser access

Create/Manage vCenter Server Security Certificates

Security certificates are used by vSphere components to establish and communicate with each other securely (SSL). A certificate cannot be just created by you. VMCA, VMware certificate authority which is a service that resides in PSC provides certificate for ESXi hosts and each vCenter service. Alternatively you can also supply your own certificate that was obtained from a PKI (Public key infrastructure). The PKI can be either internal or external PKI’s such as Verisign etc. vCenter Certificates can be managed using the following tools,

  • vSphere Certificate Manager Utility – Command line tool to perform all certificate related operations/tasks
  • Certificate Management CLI’s – Certificate related tasks can be performed in dir-cli, certool and vecs-cli
  • vSphere web client certificate management – Using the vSphere web client we can only view certificate and its associated information such as expiration date.

Procedure on how to perform certificate operation is beyond the scope of this document. To view active/revoked/expired/root certificates in web client navigate to Administration -> System configuration -> Click the vCenter server -> Manage -> click Certificate Authority tab.

Control MOB Access

MOB – Managed Object Browser can be used to modify host configuration. Usually MOB is used only for debugging and disabling this interface may prevent an attacker from changing host configuration.

Procedure

Click the host from inventory -> Manage -> Settings tab -> click Advanced System Settings under system.
HostAgent.plugins.solo.enableMob is the name; the value should be “False” which means MOB is disabled.

Change default account access & Restrict administrative privileges

By default, root user has all the privileges on a single host and user administrator can perform all functions in vCenter. To enhance security, it’s a good idea to avoid using these default accounts and create username for each administrator or simply use VM directory service.

Leave a Reply

Your email address will not be published. Required fields are marked *