VMware vSphere Deployment and Management VMware vSphere Training Many people do not consider the deployment and management of virtual machines to be much of a security issue, but it is. Because most, if not all, VM deployment is done over the administrative network on which the VMware ESX Service Console, VMware ESXi Management Appliance, and vCenter Management Server (VC) hosts, it is an important aspect to discuss in the context of virtualization security. There are several threats to the VMware vSphere™ and Virtual Infrastructure that can target the specific management tools, whether they are vCenter Management Server, the Virtual Infrastructure Client (VIC), Lab Manager, or even webAccess. Some vulnerabilities are easier to exploit than others, but they do exist. In addition to the straightforward vulnerabilities, issues exist with authentication, roles and permissions, and access restrictions. In addition to the normal tools that ship with the VMware ESX, ESXi, and Server hypervisors, we will branch our discussion to include the VMware Stage, Lab, and Life Cycle Managers. At this time we are not pulling into our discussion the VMware Virtual Desktop Manager (VDM) but we will discuss this in Chapter 10, "Virtual Desktop Security." One of the first things to understand is how data flows among all the management tools within the virtual environment. In some cases, there are settings that will change how data flows, and will discuss those as well.
Management and Deployment Data Flow Of chief interest when discussing security and management is how the management data flows around the virtual and physical network. Several management clients and tools are in use when we attempt to manage the virtual infrastructure, and they all have their own management methodologies and constraints. We will discuss all the primary VMware management products except the Virtual Desktop Manager and VMware View Manager within this chapter. Chapter 10 discusses the ins and outs of VDI including VDM and VMware View Manager. All traffic from management clients to either virtualization hosts or VC and back is encrypted using the secure socket layer (SSL) with the exception of the initial handshake done to establish SSL connectivity. SSL allows for end-to-end encryption as defined in Chapter 2, "Holistic View from the Bottom Up." Also, as defined in Chapter 2, SSL is susceptible to a MiTM certificate injection attack. We discuss this further within this chapter. Most of the mechanisms discussed in the following sections use SSL over port 443, and you may wonder how it can keep everything straight. How does the system know to send data to the SDK versus webAccess versus VIC access? VMware solved this problem with extensive use of reverse proxies based on the entry point into the VC, VMware ESX, VMware ESXi, or VMware Server hosts. Reverse proxies hide the destination port from the client, which also decreases the overall attack surface of exposed ports. Everything appears to tunnel through port 443. However, this does create a series of daemons within VC, VMware ESX, and VMware ESXi that could be listening on external ports yet do not need to do so.