According to polls I've conducted on VMware Communities, 80% of the people using VMware Virtual Infrastructure trust the security model that VMware Inc. has used. Yet more than 70% are integrating VMware ESX into Active Directory; only a few are augmenting their security with access controls other than -- or in addition to -- AD.
However, without carefully configured access controls within AD, anyone with a legitimate AD account could log into the VMware ESX service console and gain access to restricted data. Some of this data is valuable in itself; much of the rest is critical to the system and could be further used by hackers to craft attacks on other data stores.
Even with group policies and other measures in place, there is a lot of room for individual access rights to go unmodified and leave unintentional access permissions in place.
Incorrectly protected configuration and script files could reveal things such as the system password, server configurations, configuration change histories, and the names of VM, network and other resources. In addition, it is possible to see how virtual machines are configured, and the logs associated with the running of VMs.
Thankfully the raw Virtual Machine Disk Format (VMDK) is not available to a generic user, but information about the VM is. That in itself creates an issue. Interestingly enough, data stores based on Network File System (NFS) are not accessible at all by a regular user from the VMware ESX host.
The host will give information about how the VM is configured, about the networks to which it's connected and how the disks are set up as well.
Lastly, it is possible for the firewall, Virtual Infrastructure Client authorizations, and other information about the VMware ESX Server to be discovered.
This is useful information for a hacker. I have listed only a few but there is quite a bit of information leakage that could be used to possibly subvert the host.
While the AD authentication is secure when using Secure LDAP or Winbind, it is still possible for non-administrators to gain access to systems and gain vital information about the host, VMs and the entire virtual environment.
To combat this, servers and networks need to be hardened further. More importantly, VM installations need more authentication controls.
There are at least three methods that can be used to limit access to the VMware ESX host built in to the management appliance.
They are TCP wrappers (a tool to limit access via IP to various daemons), pam_access (a tool to limit log-ins to the system by user, group and IP address in addition to limiting log-ins to only certain times) and the packet-filtering firewall (to limit access via IP). It is important to apply at least two of the three listed to get full coverage, just in case one fails.
Use these additional tools to further limit access to the Service Console, setting up AD integration or any other form of Single Sign On is an important tool to combat the spread of passwords.
It's not enough, however.
If your security policies dictate who can log into various physical servers, you need to do the same for VMware ESX. Then you will no longer suffer from possible information leakage and faulty authentication security.
Virtualization expert Edward L. Haletky is the author of VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers (Pearson Education, 2008). He recently left Hewlett-Packard Co., where he worked in the virtualization, Linux and high-performance technical computing teams. Haletky owns AstroArch Consulting Inc., which provides virtualization, security and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.
This story, "Virtual infrastructure: Threats lurk near open doors" was originally published by CIO.