Today I want to start a series of discussions about some security tips and prospective best practices. I will start with some simple steps on ESXi configuration as the main asset between vCenter objects. At each post there is 4 or 5 security recommendation titles about VMware security hardening and are absolutely consistent with VMware published checklists:
1. Built-in firewall rules:
As one of the first steps for ESXi hardening you can start from a limitation of permitted connections "To / From" the host and restricting unused transmit or blocking suspected traffics. So you may need to revision firewall rules and control what is permitted and what is not? or are their usage permanent or temporary for a specific time duration? Check your list again and for example, if you always want to have permanently SSH access to your hosts, limit allowed IP addresses to only your management system IP address.
2. Using SNMP version 3:
Because of the security nature of SNMP protocol on version3 in comparison with older versions 1 & 2 (based on the support of encryption, authentication & hashing algorithms), it's strongly recommended to use SNMPv3. Old versions are using only a community string for SNMP communication that is clear-text data and certainly is a security breach. So for monitoring ESXi hosts, it's better to configure only SNMPv3 settings by "esxcli system snmp set --v3targets ... (I will explain how to do it in another post)
3. VIB Verification:
VIB or vSphere Installation Bundle is a package file (like a ZIP) contains some installation files related to the ESXi. As the Kyle said there are 3 main parts of VIBs: Archive (Payload), XML (Descriptor) and a Signature file for trust level verification and you can configure it to each of 4 below-mentioned acceptance level depends on your system management policies:
I. Partner: VIB creating and testing will be done by a partner and there is no VMware verification.
II. VMware Certified: All processes will be done by VMware itself.
III. VMware Accepted: Testing will be done by partners but result verification relies on VMware.
IV. Community: All processes executed outside of the VMware partner program and are not supported.
It's a good suggestion to don't trust to all community VIB packages
4. NTP configuration:
Time, Time and Time ... This is so important to remember to set it before doing every other configuration on your hosts. It's recommended to set at least one NTP server outside of your virtual infrastructure (like a router) for all of the hosts. ( I described it before on this post how to do it by CLI)
5. Versions of TLS:
It's always a real problem, Which version of TLS we should use on our managed hosts? and what version must be disabled? It's strongly recommended to use only TLS 1.2 but somehow maybe some of the associated management products to the ESXi host can only communicate with an older version. So before disable versions of 1.0 or 1.1, check this matter out.
I think it will be my last post in 2018, so I hope to have a great and perfect year in 2019.