«

»

Jul 19 2011

ESXi 5.0 Enhanced Security Profile

Bloggers have been doing a great job during the past couple weeks and several vSphere 5.0 articles are being published. There is a lot of information floating around and I would recommend to have a peek at this page from from Eric Siebert with vSphere 5 Links.

Undergoing my studies for VCP5 Beta at the end of this week I came across several features that I had only read in feature overviews. One of them is the enhanced security profile configuration with the implementation of the new statefull firewall engine that allow administrators to define port rules for each one of the services; instead of IPTables engine used in vSphere 4.1.

 

image

 

vSPhere 5.0 implements ESXCLI as it’s main cmdlet for host management. Existing esxcfg- and vicfg- cmdlets have been deprecated and will not be supported by VMware anymore. Therefore it’s important that we start getting familiarized with esxcli command. Esxcli already existed in prior releases of vSphere, however it’s been revamped and additional namespaces have been added to allow broader host management.

Firewall is not exception and can also be managed via esxcli, however the rules have to be edited at /etc/vmware/firewall/service.xml. The service.xml file contains all firewall rules, including ports and protocols.

image

~ # vi /etc/vmware/firewall/service.xml

image

 

In the Security Profile configuration page it is possible to enable and disable services that have external network connectivity, just like in ESXi 4.1. However, the major difference in ESXi5 is that services can also have their inbound and outbound TCP and UDP ports managed. In addition to the services the administrator may also manage (allow or block) specific IP addresses or subnets for common VMkernel  services such as vMotion, Fault Tolerance, DHCP Client, Host Base Replication (HBR), amongst others (below).

 

image 

 

The pictures below demonstrate the service selection process to change the statefull firewall rules. Since these rules are statefull they will persist across host reboots. In the firewall settings configuration windows it’s possible to define IP addresses and subnets using IPv4 and IPv6.

(Click to the pictures to enlarge)

image   image

 

ESXi 5.0 yet kept a little gem that I have not seen published in any of the overview articles. Although, I have to confess that I have not read them all. So, I am sorry if I am making any injustices.

Host Image Profile Acceptance Level can also be setup within the Security Profile configuration screen. This service is responsible for determining  which vSphere installation bundles are accepted for installation on the host.

VMware has classified Acceptance Levels as: VMware Certified, VMware Accepted, Partner Accepted and Community Supported.

If someone tries to install a plug-in, driver or ESXi bundle with lower acceptance level than defined by Host Image Profile Acceptance Level the installation will no proceed. At this stage I am not entirely sure about how each bundle gets it’s stamp.

 

image

 

The last feature in the Security Profile configuration windows is not new to any vSphere 4.x administrator: Lockdown Mode

image

 

Note: Features above may be pulled out of the product before vSphere 5.0 is released. There is no guarantee that the GA product will have the same features and screens.

1 ping

  1. Welcome to vSphere-land! » vSphere 5 Links

    […] (ESXi Chronicles) ESXi 5.0 Command Line Part 1 – Introduction to the new ESXCLI (ESXi Chronicles) ESXi 5.0 Enhanced Security Profile (My Virtual Cloud) vSphere 5 What’s New – Image Builder and Auto Deploy (NTPro.nl) Automating […]

Leave a Reply