The ESX service console is a limited distribution of Linux based on Red Hat Enterprise Linux 5 (RHEL5). The service console provides an execution environment to monitor and administer the entire ESX host.

If the service console is compromised in certain ways, the virtual machines it interacts with might also be compromised. To minimize the risk of an attack through the service console, VMware protects the service console with a firewall.

In addition to implementing the service console firewall, VMware mitigates risks to the service console using other methods.

ESX runs only services essential to managing its functions, and the distribution is limited to the features required to run ESX.

By default, ESX is installed with a high-security setting. All outbound ports are closed, and the only inbound ports that are open are those required for interactions with clients such as the vSphere Client. Keep this security setting, unless the service console is connected to a trusted network.

By default, all ports not specifically required for management access to the service console are closed. You must specifically open ports if you need additional services.

By default, weak ciphers are disabled and all communications from clients are secured by SSL. The exact algorithms used for securing the channel depend on the SSL handshake. Default certificates created on ESX use SHA-1 with RSA encryption as the signature algorithm.

The Tomcat Web service, used internally by ESX to support access to the service console by Web clients like vSphere Web Access, has been modified to run only those functions required for administration and monitoring by a Web client. As a result, ESX is not vulnerable to the Tomcat security issues reported in broader use.

VMware monitors all security alerts that could affect service console security and, if needed, issues a security patch, as it would for any other security vulnerability that could affect ESX hosts. VMware provides security patches for RHEL 5 and later as they become available.

Insecure services such as FTP and Telnet are not installed, and the ports for these services are closed by default. Because more secure services such as SSH and SFTP are easily available, always avoid using these insecure services in favor of their safer alternatives. If you must use insecure services and have implemented sufficient protection for the service console, you must explicitly open ports to support them.

The number of applications that use a setuid or setgid flag is minimized. You can disable any setuid or setgid application that is optional to ESX operation.

Although you can install and run certain types of programs designed for RHEL 5 in the service console, this use is not supported unless VMware explicitly states that it is. If a security vulnerability is discovered in a supported configuration, VMware proactively notifies all customers with valid support and subscription contracts and provides all necessary patches.

Note

Follow only VMware security advisories, found at http://www.vmware.com/security/. Do not follow security advisories issued by Red Hat.