Hi there,
does anyone here have any experience with zitifying VMWare ESXi (8.0)?
I think there would be a lot of need for prividing Zero Trust Access für ESXi especially considering the recent ESXiArgs ransomware attacks.
I’d love to bring this forward and try things out, however, I do need a starting point here. I assume installing a tunneler isn’t really an option due to VMWare’s custom kernel.
Any ideas?
Best regards
Dominik
I don’t personally have enough understanding of VMWares’shypervisor and how it works. It’s possible it has functionally like kubernetes daemonsets where a tunneler could be installed on every VMware node.
I don’t know of anyone who has explored this at all yet. Perhaps someone else in the community has investigated.
You could perhaps install ziti on any/each of the virtual machines and then allow that VM to access the ESXi API, using OpenZiti as a bastion type of thing but certainly adding ziti closer, to the hypervisor itself seems like it sounds more secure.
Hi Dominik,
Maybe I am still stuck on the ESXi 6.7 time frame, I am not aware it is opensource. To zitify it, the source code will need to be modified.
Also, I believe ESXi also communicates to other VMWare products (like VCenter). These products will most likely need to be zitified.
Therefore, the solution TheLumberjack offered is the best alternative way to lockdown the access to the ESXi server.
Yeah, I think really “zitifying” it isn’t a real option.
What I was more thinking about is installing the ziti tunneler on the hypervisor - not sure if that could be working.
I think what @TheLumberjack suggested is the easiest solution for now - thanks!