7

So I've got an interesting problem.

I currently rent a couple of servers from Hetzner (a German hosting provider). Each server has a soft firewall and does something like web hosting / database.

I would like to rent a beefier server and setup a hypervisor like ESXi on it with a vSwitch connected to physical NIC and a pfSense VM, and another vSwitch from the pfSense VM to other VMs. Unfortunately, Hetzner does not appear to provide a hardware firewall in between the public interface and your server (leaving soft firewall as the only option).

What are the security implications of running ESXi (v5.5) out in public like that? Quick research suggested this thread on spiceworks which sums it up as disabling SSH/Console (telnet?) access and setting up proper SSL cert and a very complex unguessable username/password pair. With the obvious implication of single-entry attack point.

test-in-prod
  • 181
  • 1
  • 4
  • This is just a bad solution. I see it asked here way too often, though, and I'm not sure why people end up in the situation without a real firewall. – ewwhite Jul 03 '14 at 08:14
  • What are you planning to run on the ESX? There might be a better way to approach the problem. For web servers, have you looked into AWS? – jonatan Jul 03 '14 at 08:24
  • Of course you have the host firewall and the firewall on the guests but to my line of thinking this is like leaving the vault door open and letting the bank robbers bang away at the safety deposit boxes. Is there no hosting provider that you can use that implements a firewall at the ingress/egress of the network? – joeqwerty Jul 03 '14 at 10:51
  • @ewwhite could be because of unusual circumstances like a hosting provider. – test-in-prod Jul 03 '14 at 15:51
  • 1
    @jonatan, I have looked at AWS, however I have distrust and would rather host/keep my own data – test-in-prod Jul 03 '14 at 15:52
  • @joeqwerty at the time of my researched, hetzner seemed to be the most cost effective provider for what they offered (full server hardware rent on the cheap) – test-in-prod Jul 03 '14 at 15:53
  • Right, I understand... but a hosting provider + ESXi and no networking flexibility is the worst of all combinations. The hardware won't be resilient enough, you'll have problems with out-of-band access, security is dependent upon weird VM-based networking and there still won't be any NIC/switch redundancy. – ewwhite Jul 03 '14 at 16:31

3 Answers3

9

You can limit the IP addresses permitted through the ESXi firewall.

http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vcli.examples.doc_50%2Fcli_manage_networks.11.11.html

That is really all you need to harden it. Locking your management down to specific IP addresses is very secure. Naturally follow the other best practices re passwords etc as well.

Just make sure to look at the firewall completely and lock down everything to your management IPs.

Non Static IP Alternative

Lock all ports down to 127.0.0.1 as given above except for SSH. Lock SSH down to private/public key authentication only and disable ChallengeResponseAuthentication and PasswordAuthentication. This is very secure.

Use your favourite SSH client connect to the server with a command line such as:

ssh my.vmhost.rackhoster -L80:localhost:80 -L443:localhost:443 -L903:localhost:903

Then leave the SSH session running and point your browser to https://localhost/ and it will automatically forward port 443 through to the ESXi host. Change the ports if you are already using port 443 on your local machine (ie, -L8443:localhost:443 instead -> https://localhost:8443/). Same for port 80. Port 903 is for the console.

If you ever loose your private key you're pretty screwed this way so back it up! :-)

For ultra security ensure your private key is encrypted with a good passphrase. Don't forget it!

Ian Macintosh
  • 955
  • 1
  • 6
  • 12
  • I see a potential problem of locking yourself out if you do not have a static IP from wherever you are managing it (in my case - at home). – test-in-prod Jul 03 '14 at 15:57
  • 1
    Not potential. *definite* :-) In that case you could (a) invest in a static IP address or (b) have a Terminal Server/GUI Frontend somewhere else on a static IP address such as the office or (c) setting up a VPN connection to some static IP address and then managing it over the VPN. Naturally any other than the first option introduce additional points of failure, though fairly minimal. – Ian Macintosh Jul 03 '14 at 16:09
  • I added another alternative to the answer where you just have no access to any static IP address at all. – Ian Macintosh Jul 03 '14 at 16:36
  • I will give this a try at home first to see how it works, but this seems like it might just work! Thanks! Marking as an answer for now – test-in-prod Jul 03 '14 at 19:11
4

Use the ESXi builtin firewall to close down unneeded ports and limit access to the open ones to a range of known IP addresses.

This might be challenging if you do not use a fixed external IP address at home (like most people), so you may end up restricting access to the addresses of some other servers that you have on the Internet.

VFrontDe
  • 1,508
  • 8
  • 13
0

Why would you run ESX on the public net? Can't you just use the pfSense FW as the "public endpoint" and make everything else private? This is how I would do it.

MichelZ
  • 11,068
  • 4
  • 32
  • 59
  • This has the disadvantage that, if anything goes wrong on the firewall, the ESXi server may not be salvaged. – jornane Jul 03 '14 at 06:30
  • @Jorn: Make it a HA-pair of Firewalls then? Works good using pfSense. – MichelZ Jul 03 '14 at 06:31
  • 1
    As stated in the original question, this is not possible. With this hosting provider, you can't setup a server behind another server (via switch). Each server you get is connected to a public IP. – test-in-prod Jul 03 '14 at 15:56