Important article! I would like to read more about this. In particular on the concept of having a DMZ inside the virtual host that is connected to the physical DMZ (if I understand correctly).
Just a minor line edit: it's not correct that VLANs are called port groups in ESX. They are entirely different things and I know the author is aware of the difference, since I read as much in his book ..

(Full disclosure, I work for TBD Networks, a network virtualization company, so my excitement is not entirely disinterested)

I would recommend to focus on using the VMware ESXi 3.5 (installable or embedded) instead of the VMware ESX 3.5 server. The ESXi doesn't have a service console, and therefore requires a lot less patching. The potential surface attack on the VMware ESXi 3.5 is extremely reduced.

In addition, I recommend that the management of a DMZ virtualized environment, should not be done from the normal virtualization management platform inside the company (Production VirtualCenter). The better approach is to add a VMware VirtualCenter inside a DMZ-MGMT area. The VMware VirtualCenter Foundation license is just right for this approach, as it allows you to manage three ESX or ESXi servers.

One of the biggest challenges with running servers or virtual servers in the DMZ, is keeping them secure with patches and fixes. Here, BlueLane's VirtualShield solution will fit in nicely. VirtualShield corrects all malicious and offending traffic as it passes through the hypervisor by applying the same corrective conditions as software vendor patches.

Erik Bussink (CISSP,VCP,RHCE)

Thank you Edward

Important article, I would like to read more about Securing ESX Servers and i would encourage every ESX Administrator to read about Important to Secure ESX Servers.

Best Regards,
Hussain Al Sayed

Re: ESX3i

Actually, VMware ESXi has more security issues than VMware ESX. There are several issues at hand: The first is that many people incorrectly assume there is no SC. There is one, it now uses BusyBox and not a full blown GNU install. BusyBox has most of the full Posix environment however. And it still runs within a VM just like the SC does, it also has all the access the SC does. The second item is that ESX3i has a backdoor for support that grants ALL the access necessary, with remote access cards, this becomes a risk. Third, there is no way to enhance VMware ESXi security which includes adding to a Directory Service for centralized password management. Fourth, there are BusyBox specific attacks available. Fifth, the RCLI can be attacked potentially with a SSL MiTM attack. The list goes on. VMware ESXi is not more secure than VMware ESX. It has different problems, some in my mind pretty major.

Check out http://communities.vmware.com/thread/150919?tstart=0 for some podcasts that include discussions on ESXi.

Best regards,
Edward L. Haletky

I was wondering if you have seen Chris Wolf's article on VM virtual switch security (http://searchservervirtualization.techtarget.com/tip/0,289483,sid94_gci1244407,00.html)? Based on the testing cited there, it seems that VMware ESX virtual switches performed poorly compared to Microsoft or Xen solutions. Some of the issues could be mitigated with port groups, or multiple virtual switches and VLAN tagging, but overall, I don't think I would want VMware ESX VMs on my DMZ unless I was very very careful, which of course is the point of your article.