Home / server / Questions / 353223
Accepted
Aron Rotteveel
Asked: 2012-01-25 12:51:04 +0800 CST

Recommended way to setup a secure ESXi environment with a publicly accessible range and 2 NICs

  • 772

I am fairly new to ESXi but have decided to dive into this, but have found out that things are not as easy as I had expected them to be (no doubt this is primarily caused by my lack of knowledge on the matter at this time).

What I have:

  • A dedicated server with 1 NIC running ESXi
  • A single (public) IP address for the host
  • A set of (public) IP addresses intended for any use I see them fit. To keep things simple, let's imagine a single webserver for now.

What I want to achieve:

  • Secure ESXi management; I really feel that a publicly accessible management host is wrong.
    • I don't have any physical routers at my disposal so I cannot hide the host behind a physical VPN.
  • Public access to some of my guest systems
  • Additional guests need to sit on a private network.
  • Public and private guests should optionally be able to communicate via the private network.

Currently, I'm a bit lost on how I should tackle this. I'd probably be able to get something running, but I don't want to start on the wrong basis or make choices that end up to be insecure.

Any help is appreciated.

UPDATE: what I have achieved so far (and network screenshot):

  • ESXi is up and running, still on the public interface
  • I have configured a pfSense guest
  • I have configured a DSL desktop to reach the pfSense guest through the private network.

I still feel that hiding ESXi behind a virtual VPN is quite risky, since I do not have console access. If I am overlooking something, or any alternatives are possible, I'd really like to know.

Network configuration for ESXi host

virtualization networking vmware-esxi

4 Answers

  1. Best Answer

    In a nutshell:

    1. Create (at least) two vSwitches, one "public", connected to one of the server NICs and one "private", which is not attached to any physical NIC.
    2. Pick an RFC1918 subnet to use on the private vSwitch, say 10.0.0.0/24.
    3. Install pfSense in a VM, assign its WAN interface to the public vSwitch and its LAN interface to the private vSwitch. Additionally, assign the VMware vKernel management port to the private vSwitch.
    4. Set up a VPN in pfSense along with appropriate routing to get to the private network. OpenVPN is quite easy to set up, but IPsec would be fine as well.
    5. For any server VMs you have, assign their interface to the private network.
    6. Create Virtual IPs in pfSense for the rest of your public IP addresses, then set up port forwards for any services you need people to be able to access from outside the host.

    At this point, the pfSense VM will be the only way traffic can get from the outside to the rest of your servers and management interfaces. As such, you can specify very specific rules about which traffic is allowed and which is blocked. You will be able to use the vSphere Client after connecting to the VPN you configured in step 4.

    • 7

  2. It seems like you are kind of out of options if all proposed scenarios - adding another device (be it a router or a different machine within the same network), buying a VPN service from your hosting provider or creating a virtual machine on your ESXi host handling the VPN traffic are not a good fit.

    The best thing you would get from ESXi is a stateless packet filter (available in ESXi5). What I would suggest to do here:

    • filter everything but HTTPS (tcp/443) and VMRC (tcp/903) (and maybe SSH (tcp/22) if you are working with tech support mode) - either using the ESXi firewall or by asking your hosting provider to set filters
    • load a verifiable certificate (you would need to get one from a public CA if your management stations tend to change or if you have many of them)
    • set complex passwords for all users
    • expose the management interface publicly.
    • 2

  3. As even a home/SMB router would be better than nothing and inexpensive, could you put something between your ESX systems and the outside? You could then use the router to forward only the needed ports to the systems and have a more secure ESX system. It would be fairly simple and cost is low. You could at least get it running relatively securely

    • 0

  4. Just my opinion...

    1. Network loops in ESX are only a concern if you're dual homing VM's, other wise nothing to worry about there. In fact in a typical ESX configuration you have at least two links to each switch and they're typically active/active. So if there's any possiable way to get that second NIC setup on a private network that can only be accessed by VPN, or some other secure manner, then that's the proper way to configure this.
    2. Since your hands are tied, do know that ESX its self has a firewall. So i would look into making sure that's locked down so that it can only be managed by a very specific IP range. You'll want to do this for both SSH and your GUI console If you tell me what version of ESXi you're running I'll get you some more info.
    3. The pfsense looks like a good configuration, although if you could find some way to even get something small like a Cisco ASA 5505 in there, that would a world of improvment for you.
    • 0