This post is also available in: Italian

What’s new in vSphere 5 – ESXi firewall

One of the new features of ESXi 5 is the new “personal” firewall, feature that was previously found only in the legacy (and now discontinued) ESX.

VMware argued that ESXi didn’t require a firewall, because the lightweight hypervisor had hardly any services or ports open, leaving it with almost nothing to attack. So why add this feature? Probably just to fill a feature gap between ESXi and ESX and to improve security by using a deep approach.

Firewall characteristics:

  • It’s a stateless firewall based on ESXi services.
  • It’s enabled by default.
  • It sits between the ESXi host management interface and the management network on the local area network.
  • It supports additional capability to restrict access to services based on IP address and subnet mask (this is quite new, and was not so “simple” in ESX).
  • The upgrade from ESX/ESXi 4.x to ESXi 5.0 results in several changes to the host firewall configuration. For more info see the vSphere 5 Upgrade guide.

For more info see also:

How to manage it

The ESXi 5 firewall can be configured though:

  • vSphere Client: go to Host Configuration > Software > Security Profile. Quite the same as the old ESX configuration.
  • Command line: with vSphere 5 the esxcfg-* is deprecated, so the firewall configuration can be done with the esxcli command.

Limit of this firewall?

As the old one (in ESX) this firewall is still service oriented, and this mean that it’s easy to manage and configure.

But this time it’s not based on Linux iptables frameworks and it’s not statefull… this mean less flexibility and, in some cases, less security. Why less security? Because with a stateless firewall it’s always hard to handle the reply packets with the risks to open more ports than needed. So there can be some risks on the host security? Yes… but the reply packets are (in most cases) from the host itself, so I think that the risk is minimum and, in this case, a stateless firewall can work good.

A good improvement is instead the possibility to add specific hosts or subnet to the firewall rules and this can really improve the security. But, of course, this does not mean that external firewalls can be dropped… A personal firewall do not replace them.