Does anyone know if Qualys supports Authenticated vulnerability scan for VMware ESX box?
Yes we support Authenticated scanning for ESX via the Unix Auth Record.
Do you also support Authenticated scanning for VMware ESXi? From what I understand it's a quite different then ESX in terms of accessing.
I am not sure how ESXi allows connections but if we can get an ssh, telnet, or rlogin prompt off the box, we can run an authenticated scan against it.
It does not appear ESXi allows any of those connections, it has 80 and 443 ports open, along with irdmi (8000). Admins say they use a web interface to administer that system.
So it seems more like an appliance then a server type.
I was told by our Ops team that VMware STRONGLY recommends leaving SSH disabled. I was also told that not only do they not recommend it, it's not supported and throws our all kinds of warnings if it's enabled. Does anyone know if the snmp auth record could be leveraged if SSH is not an option? Some would say if those exploitable services are not running it's safe to say the box is secure, but I do NOT agree. Using an assessment tool confirms users and administrators are following the correct practices/procedures/processes. It appears VMware ESXi 4.1 is a completely different beast than previous versions. Since the direction is to migrate to 4.1, we're going to need a soultion to this problem. Any comments/recommendations/suggestions would be greatly appreciated.
Actually, ESXi is a different platform than ESX and is designed to eliminate the service console OS (and access) that we would normally use to scan via SSH/Telnet/etc.
We don't currently support authenticated scanning of ESXi, but this is something we will investigate.
Any idea how the ESXi asuthenticated scanning investitations are progressing? We are migrating all our ESX hosts to ESXi (less attack surface) but still want to maintain authenticated scanning of these devices.
No updates at this time. Supporting remote ESXi will require coordination between VMWare and Qualys, so I expect that this will be a long-term effort.
Considering it's been about 6 months, is there an update on QualysGaurd scanning ESXi hosts?
I don't believe that we have a concrete update to provide to you. However, I can say that we are beginning to focus much more closely on our VMware relationship and VMware-specific capabilities. To that end, we have become an Elite-level member in VMware's TAP (Technology Alliance Partner) program, and we are actively researching our best approaches for addressing vSphere environments.
If you (or any other customers or partners reading this) are open to discussing specifics around your use cases and challenges addressing virtualized, especially VMware-based, environments, please reach out to me at jlute ||AT|| qualys ||DOT|| com.
I wanted to provide an update on Qualys capabilities in regard to ESX and, particularly, ESXi.
We recently put into production discovery capabilities for VMware ESXi and ESX (versions 3.5 > 5.0), which occurs primarily through an HTTPS query on port 443. Thus, the vSphere hosts can be fully hardened (i.e., no SNMP, no SSH) and even configured in Lockdown Mode, but we will still be able to positively identify them during the discovery phase.
Unfortunately, only the major version number is available to us through this query, which is good enough for discovery, but not sufficient for vulnerability assessment. For this we will need to authenticate to the vSphere hosts, and this we intend to do also on port 443, this time to the vSphere SOAP API.
A new SOAP module will be added to our scanner in one of the next two releases, after which time we will be able to authenticate to ESXi and ESX servers on port 443 to pull the build number, installed patches, and other configuration details.
Note that this same vSphere SOAP API is also presented by vCenter Server and the vCenter Server Appliance, which we'll also be targeting.
Good stuff Justin, thanks for the update...
Excellent news Justin!!!
I’ll let my Client know and please do keep the information coming ☺
Many thanks for the update here. Look forward to the SOAP auth module and
getting it tested in our environment.
We have just released our first batch of QIDs in suport of VMware ESXi, executing the checks against the vSphere (SOAP) API.
See Qualys meets VMware ESXi for more.
In the end, we were able to engineer unauthenticated remote discovery against the vSphere API to bring Vulnerability Management coverage to ESXi 4.0, 4.1, and 5.0. SOAP authentication to allow for more vSphere checks and integrations will be coming soon.
Retrieving data ...