Understanding VMware ESX Server Security Profiles
VMware ESX Server's built-in software firewall is called the "security profile" for the host server. To be clear, this firewall is the firewall for the entire host - including the service console (if it is not an ESXi server) but not the virtual guests running on the host. Personally, I wish that it was just called the "firewall", but the term "security profile" has "grown on me". I hope that after you read this article it will stick in your mind as well. Let's learn how it works, how to configure it in the GUI & CLI, and why it is important to you as a VMware Admin.
How does the VMware ESX Server Security Profile work?
As the VMware ESX Server security profile is the software firewall of the ESX Server its job is to monitor both inbound and outbound TCP & UDP ports to and from the ESX server. This is done in order to protect the server from network attack.
By default, only specific inbound connections are allowed to a VMware ESX Server. Specifically, (on an ESX 3.5 Server) only SSH and ports related to the VMware Infrastructure & Virtual Center management services are allowed inbound. If you want to access the server with any other applications, inbound, you will have to open that specific port.
Why is the VMware ESX Server Security Profile so important to you as an ESX Server Admin?
The VMware ESX Server Security Profile is important to you, as an ESX Server Admin for a few reasons:
So that you can understand how your ESX Server is protected from attack and so that you can properly secure your server.
If there are ESX services that you want to enable, such as FTP or NTP, you will need to open security profile ports.
If you install any 3rd party applications on the server, you may need to open ports.
How do I configure Security Profiles in the VMware ESX Server VI Client?
To configure security profiles in the VMware Infrastructure Client (VI Client), open the client, log in, and click on an ESX Server, as you see in Figure 1 below.
Figure 1: Accessing the VMware ESX Server Security Profile
Next, you would click on the Configuration tab, then on Security Profile (under Software), as you see in Figure 1.
From here, you can see (on the left) what security profile (firewall) ports are opened on your server (both inbound and outbound). For example, on this server, you can see that SSH and CIM services (used for the VI Client and Virtual Center) are all opened, inbound. Outbound, SSH, Virtual center, VMware License server, iSCSI, NTP, and VCB are all open.
Figure 2: Viewing Security Profile Status and Configuring Security Profile Properties
So how do you change what ports are open, inbound and outbound? The answer is to click on the Properties for the security profile, as you see in Figure 2, above.
Once you click on the security profile properties, you will get a new window that looks like this:
Figure 3: Configuring Security Profile Properties
From the Security Profile properties window, you can enable the preconfigured applications & ports.
Let’s say that we wanted to enable SNMP services inbound and outbound. To do this, just check the checkbox next to that service. In our case, I enabled the SNMP Server port, allowing UDP traffic on port 161 inbound and UDP traffic on port 161. Notice that SNMP is not connected to a particular daemon, as the SSH server is. To apply changes, click OK.
There are times when you need to open a port in the firewall for various applications. For example, if you want to use iSCSI.
If a port is connected to a daemon and you select that port, you can click on the Option button for that port and see the services associated with it, like this:
Figure 4: Daemon / Service Properties
As I did not want to make any changes to the service, I just clicked OK.
Notice that you are limited to the preconfigured applications and whatever their specific inbound or outbound port that is preconfigured for that application. Plus, from the GUI interface, you cannot add any new ports or applications.
How do I configure the ESX Server security profile from the command line (CLI)?
To configure the security profile from the command line, use the esxcfg-firewall command. You would first, of course, have to SSH to the ESX Server and log in first before you can use this command.
The command syntax is simple. To see all the command options, just type the esxcfg-firewall command by itself, and press enter (see Figure 5, below).
Figure 5: esxcfg-firewall command syntax
To view open ports, use the esxcfg-firewall -q command line option.
To open a specific port, you would type a command similar to this:
[[email protected] root]# esxcfg-firewall -o 1000,tcp,in,test
However, don’t expect your CLI change to show up in the GUI interface.
You can also configure a port range, like this:
[[email protected] root]# esxcfg-firewall -o 1000:1050,tcp,in,test
In this article, you learned about VMware ESX Server’s built in software firewall - the “security profile”. You found out about how the security profile is the firewall for the entire host – including the service console (if it is not an ESXi server) but not the virtual guests running on the host. After that, we covered how the security profile works, how to configure it in the GUI & CLI, and why it is important to you, as a VMware Admin.