ESXi hosted on public IP without firewall
So I've got an interesting problem.
I currently rent a couple of servers from Hetzner (a German hosting provider). Each server has a soft firewall and does something like web hosting / database.
I would like to rent a beefier server and setup a hypervisor like ESXi on it with a vSwitch connected to physical NIC and a pfSense VM, and another vSwitch from the pfSense VM to other VMs. Unfortunately, Hetzner does not appear to provide a hardware firewall in between the public interface and your server (leaving soft firewall as the only option).
What are the security implications of running ESXi (v5.5) out in public like that? Quick research suggested this thread on spiceworks which sums it up as disabling SSH/Console (telnet?) access and setting up proper SSL cert and a very complex unguessable username/password pair. With the obvious implication of single-entry attack point.
Solution 1:
You can limit the IP addresses permitted through the ESXi firewall.
http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vcli.examples.doc_50%2Fcli_manage_networks.11.11.html
That is really all you need to harden it. Locking your management down to specific IP addresses is very secure. Naturally follow the other best practices re passwords etc as well.
Just make sure to look at the firewall completely and lock down everything to your management IPs.
Non Static IP Alternative
Lock all ports down to 127.0.0.1 as given above except for SSH. Lock SSH down to private/public key authentication only and disable ChallengeResponseAuthentication and PasswordAuthentication. This is very secure.
Use your favourite SSH client connect to the server with a command line such as:
ssh my.vmhost.rackhoster -L80:localhost:80 -L443:localhost:443 -L903:localhost:903
Then leave the SSH session running and point your browser to https://localhost/
and it will automatically forward port 443 through to the ESXi host. Change the ports if you are already using port 443 on your local machine (ie, -L8443:localhost:443 instead -> https://localhost:8443/
). Same for port 80. Port 903 is for the console.
If you ever loose your private key you're pretty screwed this way so back it up! :-)
For ultra security ensure your private key is encrypted with a good passphrase. Don't forget it!
Solution 2:
Use the ESXi builtin firewall to close down unneeded ports and limit access to the open ones to a range of known IP addresses.
This might be challenging if you do not use a fixed external IP address at home (like most people), so you may end up restricting access to the addresses of some other servers that you have on the Internet.