Securing VMWare ESXi – Part 1

Updated: Nov 19

This is the first part of a multi-article series that will dive headfirst in exploring the ESXI hypervisor architecture and its many security features. In this article we are going to focus on the importance of version & build of the ESXi hosts as well as monitoring the uptime of hosts. Sounds riveting, I know, but it is crucial. The goal is to provide information that helps improve VMWare infrastructure security and, in this case, secure VMWare ESXi.


ESXi Host Versions

VMWare ESXi (ESX integrated) is the bare-metal hypervisor installed directly onto physical server hardware. It creates a layer of abstraction between the hardware and the virtual machine guest operating system. This allows for multiple “servers” to be run on a single set of server hardware.


ESXi version

The ESXi host version relates primarily to the major and minor version of the ESXi host operating system on a given system. This can often be found represented as a version or patch release and has a unique build number. For Example:

While vCenter does not require all joined ESXi hosts to have the same version and build it does affect functionality as well as security. Host systems that have differing build versions that are also members of same host cluster will not support the latest security features or virtual machine versions. This can create problems not only when troubleshooting operational issues but expose vulnerabilities that may be exploited on older hosts within the same cluster. Virtual Machines (VMs) hosted on host clusters with different versions of ESXi will operate, however special attention will be needed should the Virtual Hardware Version of a VM be upgraded.

It is important to bring all ESXi hosts OS versions to the same level. VMware provides a couple of ways to manage updates in your ESXi cluster. vSphere Lifecycle Manager (vLCM) for vSphere 7 and vCenter Update Manager (VUM) for all prior versions of vSphere, help to plan and automate patching, making upgrading systems simpler. If the hosts cannot be updated, then efforts may be needed to coordinate with the vendors to come up with patch management procedures and manual update tasks.


Host Uptime

Knowing the uptime of ESXi hosts can be very helpful to administrators for a variety of reasons. If host uptime is monitored and/or logged, it can be used to catch unexpected and unplanned outages and downtime. For security purposes, it can be a key indicator whether a host has or has not been updated and patched recently. In some cases, monitoring uptime can also help to indicate if a host is experiencing attacks like Denial of Service (DoS).

While the uptime of an ESXi server is a testament to the stability and resilience of the host OS platform, it also indicates that regular maintenance patches and updates have most likely not been performed. Coordinate with any organizational change control guidelines and policies to ensure that planned maintenance can be performed on a regular basis to keep ESXi hosts properly updated.


Conclusion

Securing, planning, implementing and maintaining a consistent version of ESXi across all hosts in a vSphere environment, particularly within host clusters, is important and fundamental to ensure compatibility with security features and virtual machine versions. ESXi hosts are the “backbone” of the virtual infrastructure and as such it is also important to closely monitor system uptime to avoid unplanned outages or detect particular types of attacks. VMWare security requires several key items starting with the host versions and ESXi patching.


References and Additional Information

By: Demetrios Mustakas, Jr


Trimarc provides leading expertise in security solutions including security reviews, strategy, architecture, and implementation. Our methodology leverages our internal research and custom tooling which better discovers multiple security issues attackers could exploit to compromise the environment. Trimarc security services fit between traditional compliance/audit reviews and standard penetration testing/red teaming engagements, providing deep understanding of Microsoft and Virtualization technologies, typical security issues and misconfigurations, and provide recommendations based on our own best practices custom-tailored to balance operational and security challenges.


Trimarc performs security assessments that cover Active Directory, Azure AD & Microsoft Office 365, and VMWare. If you would like to improve the security of your VMWare infrastructure, let us know and we can discuss the Trimarc Virtual Infrastructure Security Assessment (VISA).


How to contact Trimarc

Online https://www.trimarcsecurity.com/contact

On Twitter @TrimarcSecurity

By email info@trimarcsecurity.com

By phone (202) 587-2735





147 views

Recent Posts

See All