With the release of VMware’s latest vSphere edition, version 5, this summer, security professionals have new features...
to help them lock down their virtualized infrastructure. The biggest change with vSphere 5 for security is the addition of a firewall to ESXi. Previously, only ESX came with a firewall. Although the ESXi firewall is stateless, acting essentially as a simple packet filter, and isn’t nearly as robust as commercial virtual firewalls, it adds another layer of defense to a virtualization deployment. For the most part, it’s equivalent to the Service Console firewall on ESX platforms, and enterprises should strongly consider adding it to their virtualization security strategy.
In this tip, we’ll examine the ESXi firewall functionality and take a look at other security features in vSphere 5.
ESXi firewall management functionality
The firewall is most often managed through the vCenter management console by selecting the ESXi server you want to configure, and then selecting Configuration followed by Security Profile. The existing firewall rule set will be displayed, with incoming and outgoing connections and services along with their respective TCP and UDP port numbers. The ability to configure both incoming and outgoing ports is a new capability, and is simply managed by selecting Properties, choosing a rule, and modifying the port settings for it.
In this same Properties window, another new feature is available, which allows administrators to configure the IP addresses and subnets that are allowed to connect to the specified ports. The ability to add access controls to services, mimicking TCPwrappers functionality built-in to Unix and Linux firewalls for many years, is a significant improvement to the overall network security of ESXi. (See figure below)
In order to define custom services and create new sets of firewall rules, however, administrators will need to access the ESXi command line console or use SSH to connect to the system. There are several ways to add new rules and services. The first way requires editing the /etc/vmware/firewall/service.xml and /etc/vmware/service/service.xml files. These files contain a simple XML-based tagging structure that defines custom firewall rules. Another option would be to create new XML files in the /etc/vmware/firewall folder. An example file that creates a simple inbound and outbound service using TCP port 31337 is shown in the following figure:
After adding custom firewall services, you will need to enable them by running the command esxcli network firewall refresh at the command line. The command esxcli network firewall ruleset list will then show you the entire rule set. The next step is to limit access to the services to only certain IP addresses or ranges. This can be accomplished with two commands:
esxcli network firewall ruleset set --allowed-all false --ruleset-id=<rule id>
esxcli network firewall ruleset allowedip add --ip-address=<IP address or range> --ruleset-id=<rule id>
ESXi 5’s firewall has one interesting anomaly related to Network File System (NFS) storage. The default rule set has a service defined called nfsClient. The ESXi server will automatically enable this service when NFS storage is added or mounted, and the IP address of the NFS store will be added to the rule as a trusted host. Unmounting NFS stores can also cause the ESXi server to automatically disable the nfsClient rules. Although this is generally a helpful feature, any automation of firewall rule behavior can potentially lead to unwanted restrictions or traffic.
Other vSphere 5 security features
vSphere 5 includes a new “integrity check” feature for Host Profiles, allowing administrators to verify a hypervisor’s overall configuration state before communicating with it. These levels range from well secured (“VMware Certified”) to loose (“Community Supported”). Logging capabilities have also been enhanced in ESXi version 5, allowing TCP, UDP and SSL-based logging. Logging has been streamlined into a single configuration file (/etc/vmsyslog.conf) and individual services’ logging configuration files can be found in /etc/vmsyslog.conf.d folder. Many more options for configuration are available, including specification of multiple remote log hosts and improved log rotation.
About the author:
Dave Shackleford is the senior vice president of research and the chief technology officer at IANS. Dave is a SANS analyst, instructor and course author, as well as a GIAC technical director. Dave previously was the founder and principal consultant with Voodoo Security, and has consulted with hundreds of organizations in the areas of security, regulatory compliance and network architecture and engineering. Dave is a former QSA with several years' experience performing PCI assessments. He is a VMware vExpert, and has extensive experience designing and configuring secure virtualized infrastructures. Dave previously was CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.