ESXi 5.1 Host Security Improvements
While at VMworld 2012 in Barcelona last week, I had the opportunity to participate in several conversations with customer discussing many topics and concerns regarding the vSphere 5.1 platform, and one of them was the forever important topic of Security. While there is a great deal of effort that goes into sustaining high security standards there are always concerns about access, auditing and traceability of any infrastructure.
With the release of the vSphere 5.1 platform, VMware introduced many security enhancements to the platform. Some of those efforts were around improving auditing and security capabilities and others are beyond the scope of what I’m trying to discuss in this post.
One of the many concerns organizations are obligate to deal with is focus around systems security and accessibility as it relates to accounts, passwords, and auditing capabilities. vSphere 5.1, adheres many of those concerns by improving the security framework in many areas of the platform. This facts are not some sort of well kept secret or anything like that as I was able to find a blog post on the vSphere Blog page by Kyle Gleed, the Sr. Technical Marketing Manager at VMware responsible for the ESXi platform. The article talks about the security enhancements as well as some other great details which I recommend reading.
My point here is to illustrate some of the security improvements made to ESXi 5.1 that were topics of discussion in some of my conversations at VMworld in Barcelona.
ESXi 5.1 allows the creation of individual local user accounts. Being able to creating individual local user accounts on ESXi hosts eliminates the need to share or use the “root” accounts and passwords. This approach helps mitigate one of the most common security risks. This approach facilitates better auditing and traceability capabilities of the ESXi hosts.
ESXi Hosts Multiple Local Accounts
Local ESXi accounts, and access roles need to be created and customized via the vSphere C# client, the new vSphere Web Client doesn’t connect to ESXi hosts directly.
ESXi Hosts Local Access Roles
Any local account granted the administrator role will automatically receive remote shell (SSH) and local DCUI access. The use of individual access accounts simplifies auditing as remote, local logins as well as the execution of individual tasks can be easily tracked.
DCUI Local User Access
The recommended approach for auditing and log parsing is to send all ESXi logs to a centralized syslog server better manageability and search capabilities. The new vSphere Web Client Log Browser is also a pretty handy tool for searching ESXi logs.
There are many topics and much ground to be cover in relation to the security enhancements introduced in vSphere 5.1 this is just one of them.