vSphere 5 ESXi Firewall: Enables Cloud Hosting Companies to Offer Higher Security

By Lisa Gecko

2011 proved to be a watershed year for business migration to cloud-based services, and with the much anticipated release of VMware’s vSphere 5, hosts and providers concerned with cloud security welcome the addition of the ESXi stateless firewall. An absent feature since the ESX server, the addition of the ESXi firewall provides another layer of defense, functioning fundamentally as a packet filter. Enabled by default, the firewall blocks all incoming and outgoing traffic with exceptions such as DNS and DHCP. Configuring inbound and outbound TCP and UDP ports is an addition, as well as configuring specific rulesets within the ESXi Shell. VMware Installation Bundles (VIBs) can be utilized to customize ports and protocols for the ESXi firewall, allowing for a more tailored provider-host environment and infrastructure. The Host Image Profile Acceptance Levels for the VIBs have a broad range including VMware Certified, VMware Accepted, Partner Supported, and Community Supported.

Cloud security is, and always has been, at the top of the list of concerns for businesses considering a move to a virtual platform. While it is understandable that many CEO’s and other corporate decision makers are not always well-informed regarding every new development in cloud hosting security, it should be of some concern that many in the IT community are in the same boat. This is most assuredly no slight, but with the growth in cloud hosting this year, and every reason to expect exponential growth in the industry in the coming years, it would be a mistake to not recognize single-vendor cloud hosting as the new frontier. A basic understanding of cloud security alleviates some of these concerns and promotes a healthier relationship between hosts and their clientele, and with the addition of the ESXi firewall to vSphere 5, several security-related issues have been addressed.

The good news is that over the next few years as businesses continue to embrace the advantages that cloud-based computing provides, the wealth of talent within the IT community will gravitate as well. The first hurdle is to educate. With virtualization software developers like VMware catering to the concerns of both cloud hosting companies and their clients, it’s not that high of a hurdle. Providers requested another layer of defense, and VMware answered with the ESXi firewall. This addresses amongst other things, one of the potential problems involved with the lack of understanding regarding open ports and the security risk therein. Granted, the lightweight hypervisor has little to attack with very few ports open, but the addition of the ESXi firewall can only help to assuage any doubts about VMware’s commitment to customer satisfaction. Companies like VMware are also providing a wide variety of tutorials on virtualization, furthering the effort to bring about a better understanding of cloud hosting and everything it has to offer.

Security will always be of paramount importance. The move towards single-vendor cloud hosting and away from multiple providers or the traditional corporate data centers drives the need for innovation and cooperation in this field. Does the addition of the ESXi firewall enable cloud hosting companies to provide better security? Of course it does. It is another layer of defense that addresses specific issues. Equally important though is a community of hosts, providers and developers working together to bring security to the cloud one collaborative step at a time.