VMware security best practices guide

Without the proper security, you could put your entire VMware environment at risk. These best practices can keep your hosts and VMs safe from potential attacks.

Following VMware security best practices is key to keeping your environment secure. Proper security is even more vital in an age when high-profile data breaches can devastate entire organizations.

Traditional IT security measures don't typically provide all the protection a VMware environment requires, because virtual machines present unique security risks that require additional levels of protection over physical infrastructures. VMware continues to incorporate additional security resources into its product lineup, but you must also work to keep your virtual environment safe and secure.

Several VMware security best practices can help. First, evaluate the risks, learn how to implement and use key security tools and engage with the VMware community for support to keep your software-defined data center safe.

Security challenges in VMware

Virtualization introduces new attack vectors that hackers can use to access your infrastructure. The most prominent attack vector is the host management console, because it provides access to every VM on the host.

Other attack vectors include VMware Tools, which enables the guest OS to communicate with the hypervisor. Malicious applications can exploit VMware Tools' log files and fill up a host's entire data store.

Virtual machine security

Drivers also contain vulnerabilities. To prevent VM errors and security breaches, you must monitor the layer where the VM and the hypervisor interact.

One of the best ways to understand VMware security risks is to exploit them yourself. You can steal data from the CPU cache that your VMs share. Unpatched VMs can also affect security and consolidating services onto a single VM creates a single point of failure.

To properly secure your VMs, ensure you stay up to date with OS patches. You can also protect your guest OS using anti-malware applications such as Guest Introspection. Disable unnecessary VM functionality to minimize a VM's attack surface, and avoid using the VM console where you can, since it can allow a malicious attack on a VM.

Scripting and templatizing VM management can also ensure consistent security policies on all VMs across a software-defined data center, to ensure your VMs meet your specific requirements.

VSphere networking security

VSphere security is vital to a healthy virtual environment. A vSphere network security breach can occur through the vMotion and Storage vMotion networks, the VM network and/or the storage network. Even though these networks deal with lots of migrating data, that data is considered internal and can bypass the security measures designed to prevent external communication if not properly managed. Fortunately, you can use vMotion encryption to ensure that data involved in a migration arrives at its destination unchanged.  

Some vSphere security best practices include labeling components to ensure no errors are introduced as your network grows and adopting network isolation practices. Ensure you document and check your virtual LAN environment regularly to avoid problems and troubleshoot when issues arise.

If you don't use products that use the vSphere Network Appliance API, avoid configuring a host to send network information to VMs. If you do, an attacker can connect a VM to this filter and gain access to other VMs on the host.  

NSX can provide networking security to a VMware environment at large, including vSphere, via microsegmentation. This process isolates VMs into logical groups and places firewalls around individual workloads. This prevents a compromised workload from communicating with other workloads and infecting them as well, which limits the spread of a possible attack or failure.

ESXi host security

The best way to ensure ESXi host security is through proper firewall maintenance. You can easily manage ESXi firewalls through the vSphere Web Client, but you can also use PowerCLI or ESXCLI for firewall management tasks. You can configure and collect information about firewalls with just a few simple commands.

An ESXi server features default user accounts, but by adding more accounts, you can increase ESXi host security. The more customized user accounts you add, the more control you have over permissions of the people who access your infrastructure. To add more accounts, start your vSphere client and connect to the ESXi host. Click "Inventory," then select "Local Users and Groups." Right-click on the "Local Users and Groups" tab and select "Add," then enter a login name and password for the user profile you want to create. Once you create new users, you can create roles for those users and assign permissions based on those roles.

Secure Shell (SSH) is a secure network communication protocol that can improve VMware security. You can enable SSH in vSphere in just a few steps. First, start the vSphere client, then select the ESXi host in the "configurations" tab. Click through "Security Profile" > "Properties" > "SSH" > "Options." From there, you can set your startup options and services.

VMware secure boot can also protect ESXi hosts. Secure boot uses a Unified Extensible Firmware Interface to validate the digital signal of an ESXi kernel against a digital certificate in the UEFI. During the boot process, the ESXi file checks vSphere installation bundles against the UEFI's digital certificate, which prevents ESXi hosts with unverified kernels from booting.

VCenter server security

To keep vCenter server secure, control access between different vCenter server components. You can use vCenter Configuration Manager to automate security configuration across all your virtual, physical and cloud environments and ensure your vCenter configuration meets security standards.

Use named accounts, monitor admin privileges, and keep in mind that not every user requires an administrator role in vCenter. Use the vCenter server appliance to assign administrator role privileges. Always verify vSphere client certificates to keep your systems safe. And avoid running an SQL server in VMware; vCenter server should be the only server management software.

You can limit vCenter server's network connectivity and avoid putting the vCenter server system on a non-management network. This ensures that vSphere management traffic runs on a restricted network and limits possible points of attack. You can use a local or network firewall on the network that vCenter server runs on and include IP-based access restrictions to ensure only necessary components communicate with the server system.

Verify thumbprints for legacy ESXi hosts. VSphere assigns newer hosts -- specifically, hosts created in vSphere 6 and later -- VMware Certificate Authority by default. If you switch the certificate mode to "thumbprint," you can continue to use that mode for legacy hosts and verify thumbprints in the vSphere client.

VMware offers information about VMware security products, certifications and partners in its Technical Resource Center. This site also provides advisories and VMware security best practices. The VMware Communities site for security and compliance contains a forum where users can discuss VMware security issues and seek solutions to their problems from peers.

Dig Deeper on VMware networking