I just found an interesting question on an internal message board here in VMware. A customer was wondering if it was possible to disable USB ports at the ESXi level. They are a very security conscience organization and they want to block any opportunity for someone internally with malicious intent to plug in a USB drive. Normally, this would be done at the BIOS level of the hardware but some device manufactures don’t implement that functionality.
Unfortunately, neither does ESXi. You can’t disable /dev/usb0101 for example.
So what’s the customer to do? Well, let’s look at the problem differently. The concern is that someone does something they shouldn’t. Not unlike dealing with a toddler (loved those days, don’t miss those days!), you can’t be there every moment to stop them from doing what they want to do. A malicious person will try many avenues to get at what they want.
Instead of prevention, sometimes notification can be a useful method of threat mitigation. How about any time someone plugs in a USB device to the ESXi servers I get an alert via email of who did it? If I’m using a logging solution that can correlate data with the card swipe machine at the entrance to the doorway then I can put 2+2 together and find that Bob, the new janitor was the only one in the room when a USB storage device made by the SMI Corporation was plugged into the ESXi server at IP address 192.168.8.21 at 11:20.
ESXi logging for USB devices is really good! Here’s an example:
So, when thinking about how to protect your virtual infrastructure from bad guys, consider using the capabilities inherent in the infrastructure to defend and protect. Every Defense in Depth layer should have a backup. The layers here are the vetting of someone to get into the datacenter and the backup is the logging of things that are done when they are in there.
Thanks to my friends in the VMware Log Insight Group for making a product so easy to use that I was able to test this in just a few minutes, all on my Mac running Log Insight and a virtualized ESXi VM. (Plus VCSA and Windows VM to round out the environment) If you haven’t tried Log Insight yet, why? 🙂
