When it comes to security there is always the concerns about the security of the ESXi hypervisor. Its always the hypervisor that is nominated as the layer that can’t be trusted within the IT infrastructure. The whitepaper by Mike Foley tries to give you more insight on how the VMware ESXi hypervisor from a security perspective and what things to look at when securing the hypervisor.
The topics covered in the white paper are:
Secure Virtual Machine Isolation in Virtualization
This guide is the official security hardening guide by VMware. It will help you configure your VMware vSphere 4.1 Infrastructure in such a way that your infrastructure will be protected against all kinds of security risks.
I find these security hardening guides very handy in helping me to understand all the areas that I need to look into to protect my vSphere Infrastructure. I’m not a security expert and most security experts I talk to don’t have enough knowledge of vSphere to give good advice on the best way to protect your vSphere Infrastructure. This document fills the knowledge gap between both areas of expertise.
Notice that this document is a best practice document. Please read the document carefully before implementing all the security configuration items into your vSphere infrastructure. My advice is to use the security guide as the standard and document all the security configuration items that you do not implement into your vSphere infrastructure. Also document why you didn’t implement the recommended security settings into your vSphere infrastructure. There can be a valid reason for it, but this way you have documented the reason and can always explain your security configuration settings to the security team in the future.
Scope
This set of documents provides guidance on how to securely deploy VMware® vSphere™ 4.1 (“vSphere”) in a production environment. The focus is on initial configuration of the virtualization infrastructure layer, which covers the following:
-‐ The virtualization hosts (both VMware ESX® 4 and VMware ESXi™ 4)
-‐ Configuration of the virtual machine container (NOT hardening of the guest operating system (OS) or any applications running within)
-‐ Configuration of the virtual networking infrastructure, including the management and storage networks as well as the virtual switch (but NOT security of the virtual machine’s network)
-‐ VMware vCenter™ Server, its database and client components
-‐ VMware Update Manager (included because the regular update and patching of the ESX/ESXi hosts and the virtual machine containers are essential to maintaining the security of the environment)
You can download the Security Hardening Guide for vSphere 4.1 over here.