4

I am fairly new to ESXi but have decided to dive into this, but have found out that things are not as easy as I had expected them to be (no doubt this is primarily caused by my lack of knowledge on the matter at this time).

What I have:

  • A dedicated server with 1 NIC running ESXi
  • A single (public) IP address for the host
  • A set of (public) IP addresses intended for any use I see them fit. To keep things simple, let's imagine a single webserver for now.

What I want to achieve:

  • Secure ESXi management; I really feel that a publicly accessible management host is wrong.
    • I don't have any physical routers at my disposal so I cannot hide the host behind a physical VPN.
  • Public access to some of my guest systems
  • Additional guests need to sit on a private network.
  • Public and private guests should optionally be able to communicate via the private network.

Currently, I'm a bit lost on how I should tackle this. I'd probably be able to get something running, but I don't want to start on the wrong basis or make choices that end up to be insecure.

Any help is appreciated.

UPDATE: what I have achieved so far (and network screenshot):

  • ESXi is up and running, still on the public interface
  • I have configured a pfSense guest
  • I have configured a DSL desktop to reach the pfSense guest through the private network.

I still feel that hiding ESXi behind a virtual VPN is quite risky, since I do not have console access. If I am overlooking something, or any alternatives are possible, I'd really like to know.

Network configuration for ESXi host

Aron Rotteveel
  • 8,239
  • 17
  • 51
  • 64
  • can you provide a bit more info? For example, are you going to use vcenter?, can you setup vLAN's on your switch? Can you setup trunk ports on your switch? BTW, when you say "public access" do you simply mean viewable on your LAN? or do you mean exposed to the internet? – Eric C. Singer Jan 24 '12 at 21:06
  • also, do you have more NIC ports if need be? How many switches do you have? – Eric C. Singer Jan 24 '12 at 21:07
  • @EricC.Singer regarding your questions: 1) I am not using or going to use vCenter, 2) I have no access to the physical switch. This is a dedicated server in a shared rack to which I have no physical access. 3) When I speak of 'public access', this means exposed to the internet. 4) The server has 2 NICs, both connected to a single switch (the switch being the general switch for this specific rack, that is most likely used for other nodes that are not mine as well). – Aron Rotteveel Jan 25 '12 at 08:32
  • Update: it seems I have only 1 NIC enabled and the second can (or: will) only be patched through to an optional KVM interface to prevent accidental network loops. – Aron Rotteveel Jan 25 '12 at 08:52
  • A Console Connection (if the ESXi is running) can be achieved using something like this [KVM Console](http://www.lantronix.com/it-management/kvm-over-ip/spider.html). Just connect it to the on-board VGA and USB Ports an user a Network connection which is not public available. Of course depending on whether or not you have access to the Hardware. You could also use the public Network connection but, i have no experience or knowledge of security problems with such devices exposed to the Internet. – Daywalker Aug 20 '13 at 11:52

4 Answers4

7

In a nutshell:

  1. Create (at least) two vSwitches, one "public", connected to one of the server NICs and one "private", which is not attached to any physical NIC.
  2. Pick an RFC1918 subnet to use on the private vSwitch, say 10.0.0.0/24.
  3. Install pfSense in a VM, assign its WAN interface to the public vSwitch and its LAN interface to the private vSwitch. Additionally, assign the VMware vKernel management port to the private vSwitch.
  4. Set up a VPN in pfSense along with appropriate routing to get to the private network. OpenVPN is quite easy to set up, but IPsec would be fine as well.
  5. For any server VMs you have, assign their interface to the private network.
  6. Create Virtual IPs in pfSense for the rest of your public IP addresses, then set up port forwards for any services you need people to be able to access from outside the host.

At this point, the pfSense VM will be the only way traffic can get from the outside to the rest of your servers and management interfaces. As such, you can specify very specific rules about which traffic is allowed and which is blocked. You will be able to use the vSphere Client after connecting to the VPN you configured in step 4.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • 2
    My god, its like you took the answer out of my head and wrote it faster than me. This is exactly 100% correct. – Mark Henderson Jan 24 '12 at 22:00
  • Righto. I've been out of the VMware game for a few months, so my terminology may be a bit off - I think I got it mostly correct, but feel free to correct as necessary. – EEAA Jan 24 '12 at 22:04
  • 3
    This surely will work, but since the vSphere client uses TLS for communications, I do not think the potential danger from exposing the ESXi server "publicly" would outweigh the very real danger of the admin shooting himself in the foot by an inadvertent shutdown of the pfSense VM. It would cut the admin off the ESXi management network at least temporarily, forcing him to restart of the entire physical host. Or even cut him off forever if the pfSense machine has not been configured to auto-poweron. – the-wabbit Jan 24 '12 at 23:10
  • Thanks for the thorough answer. I was thinking on the same lines as @syneticon-dj regarding access through a VPN and the downsides he mentions. Sadly, I do not have KVM access to this server. Hiding the host behind a VPN running on a guest seems quite tricky and risky to me. Perhaps I am missing something, so I'd love to hear your opinion. – Aron Rotteveel Jan 25 '12 at 08:28
  • I also wonder how my current hosting provider does this: I currently have several VPS machines that are fully exposed to the internet by default. These machines run in a VMWare based environment as well. Ideally, I'd be able to configure my own guest-systems in a similar way. The solution my hosting provider offers seems to rely on another solution that portforwarding, right? – Aron Rotteveel Jan 25 '12 at 09:28
  • @AronRotteveel Whose your hosting provider? – JamesBarnett Feb 01 '12 at 22:13
  • @syneticon-dj a TLS Connection will only protect you from listeners of your traffic, but not from potential security exploits. I keep shutting down all unnecessary ports from the wild a I don't want to be penetrate on some ports, withe proprietary protocols, with security wholes or something else. But i have to agree that i also would never virtualise a Router/Firewall as it will be your main line to all your other systems, and therefor needs some kind of reliability. (ESX crashes, ect.). So if its posible consider a router in front of your ESX setup. – Daywalker Aug 19 '13 at 13:51
  • Additional: Just keep the single point of failure in mind! – Daywalker Aug 19 '13 at 13:53
  • 1
    @Daywalker I would agree with you if there *were* a separate VPN router with an own control channel running independently of the state of the vSphere host. As long as there isn't, it is about choosing the minor evil - which is exposing HTTPS to the world IMO for the arguments I've mentioned. – the-wabbit Aug 20 '13 at 11:37
  • @syneticon-dj I agree with that, but I would still recommend using a dedicated, yet small, router, if the given environment will enable such a Setup. Witch In dis case doesn't seem to be the case :) – Daywalker Aug 20 '13 at 11:47
2

It seems like you are kind of out of options if all proposed scenarios - adding another device (be it a router or a different machine within the same network), buying a VPN service from your hosting provider or creating a virtual machine on your ESXi host handling the VPN traffic are not a good fit.

The best thing you would get from ESXi is a stateless packet filter (available in ESXi5). What I would suggest to do here:

  • filter everything but HTTPS (tcp/443) and VMRC (tcp/903) (and maybe SSH (tcp/22) if you are working with tech support mode) - either using the ESXi firewall or by asking your hosting provider to set filters
  • load a verifiable certificate (you would need to get one from a public CA if your management stations tend to change or if you have many of them)
  • set complex passwords for all users
  • expose the management interface publicly.
the-wabbit
  • 40,319
  • 13
  • 105
  • 169
0

As even a home/SMB router would be better than nothing and inexpensive, could you put something between your ESX systems and the outside? You could then use the router to forward only the needed ports to the systems and have a more secure ESX system. It would be fairly simple and cost is low. You could at least get it running relatively securely

Dave M
  • 4,494
  • 21
  • 30
  • 30
  • 2
    I can't get behind a recommendation to use a home or SMB router for any serious work - they're horribly under-powered, frequently have buggy firmware, and frankly, there are *much* better options out there that are available for free. – EEAA Jan 24 '12 at 22:08
  • This is not an option. This specific server runs in a datacenter to which I have no physical access and is sharing a rack. – Aron Rotteveel Jan 25 '12 at 08:29
  • @AronRotteveel Is there any chance your provider would install a VPN router or a VPN tunnel for you? If you really don't want to expose your ESXi server directly, I think this would be the only way to go. – the-wabbit Jan 25 '12 at 09:05
  • @syneticon-dj this would probably be an option if I'd choose for a custom solution, but this results in higher costs as well. Currently, for this question, this is not a solution. – Aron Rotteveel Jan 25 '12 at 09:25
0

Just my opinion...

  1. Network loops in ESX are only a concern if you're dual homing VM's, other wise nothing to worry about there. In fact in a typical ESX configuration you have at least two links to each switch and they're typically active/active. So if there's any possiable way to get that second NIC setup on a private network that can only be accessed by VPN, or some other secure manner, then that's the proper way to configure this.
  2. Since your hands are tied, do know that ESX its self has a firewall. So i would look into making sure that's locked down so that it can only be managed by a very specific IP range. You'll want to do this for both SSH and your GUI console If you tell me what version of ESXi you're running I'll get you some more info.
  3. The pfsense looks like a good configuration, although if you could find some way to even get something small like a Cisco ASA 5505 in there, that would a world of improvment for you.
Eric C. Singer
  • 2,319
  • 15
  • 17
  • Hi Erik, thanks for your reply. Changing the hardware configuration in my current setup is not a possibility due to contractual agreements. This is dedicated server in a shared rack, so there really is no way I can change anything about that, apart from buying a new hardware configuration. I have thought about locking down the ESXi in the built-in firewall, but I it gives me an eary feeling to rely on this; although the chance that my static ISP address changes, there still *is* a chance, which would result in being locked out. – Aron Rotteveel Jan 26 '12 at 09:03
  • I would say it is common practice in VPS type solutions to only allow remote admin access from a select set of IPs. Your concern is valid, but I would say that if you truly have a static IP, then you shouldn't have anything to worry about. – Eric C. Singer Jan 26 '12 at 15:28