Know How - VMware

Setting up the free VMware Server is not as easy as it seems. For me. Perhaps that is, because I like to have a secured environment and VMware has a little bit weird attitude when it comes to Security. Here I write down all things I found out how to use, setup, run and perhaps make more secure VMware Server.

  1. Setting up VMware Server on Debian
  2. Managing VMware Server via WWW
  3. PXE boot of a client of VMware server

Notes

Environment

  • The environment is Linux, mostly Debian and derivates.
  • Also it is assumed that the VMware server is installed on a "root server" like you can get cheaply from all major ISPs around the world.
  • This also means, that you have full control over the host, but nothing else (like the network).
  • You cannot use private IP range for the outside interface (one of my ISPs monitors the IP and MAC layer, and if some wrong IP or MAC is used, the machine is shut down immediately).

Additional things

  • Need to be able to boot VMs from the network.
  • Cannot use any network infrastructure besides which is built into the host, as it is a hosted system with no control over the main backbone.
  • I am not affiliated with VMware besides that I am a paying customer of VMware Workstation (Windows) and user of the free products of VMware Player (Windows) and VMware Server (Linux).
  • VMware, VMware Server, VMware Client, etc. are all trademarks of VMware Inc. (I think. I do not own nor know anything about trademarks, also Bamboo lacks a Trademark-Method to mark trademarks properly, sorry.)

Notes about security

  • Security is crucial. This means, a product to be considered secure must come with a secure setup in the default install. VMware server is lacking such a secure setup and therefor cannot be considered a secure application. Therefor running VMware server renders your machine insecure. Period.
  • Security means to hardened things against typical forms of attacks. To harden something means in the first place, hide anything except the pure services for others from observers. Having open ports listening on all interfaces is the direct opposite of such a strategy. As VMware Server does open zillions of administratively used ports on all your interfaces it becomes very difficult to secure such a setup.
  • Requirements like needing a firewall to secure things is bad or even contra productive. Firewalls are no solution to security issues. If your system becomes insecure without firewall, you know you have a bad security design (Intranets usually are a nightmare from a security perspective). Firewalls are only helpful to prevent a common class of attacks, and they are good to have a single point, where you can stop all traffic to the outside. However on a hosted server stopping connections from the outside means to isolate the machine. Therefor you are unable to manage the machine, as you, the admin, sit on the outside.
  • Getting past a firewall is a common strategy, as firewalls only work on the outside and do not prevent attacks from the inside. A hacked VM is a common situation, therefor you must assume, that an attacker comes from the inside and already is past any firewall. This also means, using firewall rules from the Linux kernel are no solution for a bad security design as VMware server shows.
-Tino, 2008-09-04