Explain to me like I’m 5, why this is a bad idea…

Posted by standard_user937@reddit | sysadmin | View on Reddit | 269 comments

Hello fellow sysadmins, today my boss told me to put a hypervisor (ESXi) directly on the internet because “we are already behind on our yearly roadmap, what am I giving up security, so what..” I tried explaining to him why this was a terrible idea, but failed. I tried explaining that putting a hypervisor directly on the internet is like putting your BMC directly on the internet, its not will you get hacked, its when will it get hacked. He didn’t care and said something like “I’ve worked in IT, I know what I’m asking…” he doesn’t even realized how even security vendors like Cisco or Palo Alto Networks can barely secure dedicated hardware/software they make to do this function, let alone having a two person team applying simple firewall rules on top of ESXi is not sufficient. Help me explain like he’s 5 years old or maybe a 1st year computer science student.

Reply to Post

Reply

269 Comments

[-]

Less_Traffic2091@reddit

How did you fail at explaining this? Did you present easy to find documentation and links, or just rely on the 'Sys admin with cool stories and analogies' method? It's your job to present 'facts' in writing when it comes to assigned project concerns. The document should read "Project Title, Options, Challenges, Concerns". You should not be 'explaining things in a convincing manner', rather creating a simple project plan that shows the option(s), and defines those that put the company at risk using facts. I say this...with strong attitude...because I've worked with many a sys admin \[and I am one as well\] who are unprofessional in their processes. Love to 'roll their eyes' with always a 'vague threat of security risk' but without the ability to document it well, because most of them don't seem to actually have the expertise to explain it themselves. I've seen it as 'fear of what I don't understand and am too lazy to research' in many sys admins and/or an odd desire to not reach out for help & information from vendors. This may not be your situation, but NONE of your responses to questions have added any more 'depth' to your process and seem to become more unprofessional with every post. 9 out of 10 sysadmins I've met with a 'stupid boss' are watching another person play video games the majority of their day.

Reply

[-]

Creative_Onion_1440@reddit

Are you sure your boss really wants the management interface on the internet or could he be suggesting using one host interface assigned to a specific guest VM? I've seen some people say that VMs can have a physical adapter assigned to them and then that VM can be live on the internet "safely." This is assuming the VM is designed to be directly connected, a good firewall etc. A lot of people seem to do this in the ProxMox community and I've heard mixed thoughts on the concept.

Reply

[-]

fatDaddy21@reddit

XY Problem. Why does he think opening a hypervisor to the internet will 'catch you up on the yearly roadmap'? What is he actually trying to achieve?

Reply

[-]

Sinister_Nibs@reddit

What is he trying to achieve? He has a buddy that needs to compromise an organization

Reply

[-]

PaulRicoeurJr@reddit

Maybe getting a ransomware is part of the roadmap?

Reply

[-]

RavkanGleawmann@reddit

The older I get the more I realise that everything is an XY problem. Or at least everything can be rephrased as an XY problem to reveal new insights and solutions.

Reply

[-]

narcissisadmin@reddit

Definitely an XY problem, also surprised that you beat /u/zafjb to it haha

Reply

[-]

ZAFJB@reddit

ha ha

Reply

[-]

BlackV@reddit

HA

Reply

[-]

SirHaxalot@reddit

Yeah, how fucked must their network be if it somehow is easier to deploy shit directly connected to the internet than connected to a presumably already existing datacenter (/closet) or even office network?

Reply

[-]

standard_user937@reddit (OP)

He doesn’t think it will catch us up, he thinks developing/buying a solution will take so much time and we already aren’t going to finish everything we told HR we would get done at the beginning of they fiscal year… stupid manger reasons.

Reply

[-]

mtgguy999@reddit

Buying a solution to do what? It sounds like he wants something to happen and doesn’t have the technical knowledge to know how to do it and might not even know how to describe it. There is really no reason to put the host directly on the internet and that probably won’t even accomplish what he really wants. Some possible things he might want 1. Access the internet from the vms and they have no access 2. Access the internet from the vms, they have internet access but various needed sites are blocked by your firewall 3. Inbound traffic to vms is required. Like hosting a website that customers access 4. He wants to login to VMware from home and for some reason doesn’t want to use a vpn. Maybe the vpn doesn’t work well, or he wants to access from or phone or something Your job is now to figure out what he really wants and then figure out a proper way to do that.

Reply

[-]

roll_for_initiative_@reddit

One time on the roadmap must be "burn this place down or run it out of business"

Reply

[-]

darklightedge@reddit

Putting the ESXi directly on the internet is like leaving your front door wide open with a sign that says, "Come on in!" Hackers are constantly scanning for things like this, and they’ll find it quickly. Once they do, they can break in, take control, and steal or destroy everything inside. How it can't be obvious?

Reply

[-]

lost_signal@reddit

Hi, I work for VMware, and even presented on the topic of host security a few weeks ago at our conference in Barcelona. A simple 1 word response combined with an aquatic reinforcement device should do. https://preview.redd.it/xrd10jz85c3e1.jpeg?width=220&format=pjpg&auto=webp&s=251317b0cea3b9bb4293186ae4f700f642400836

Reply

[-]

standard_user937@reddit (OP)

Can you link me to your talk I’d be interested to see what you said about this?

Reply

[-]

Miserable_Cap_2265@reddit

Chief, imma be honest, this is just gonna be you vs your boss' power trip, it's only gonna get worse. Dip or stay is my only advice.

Reply

[-]

lost_signal@reddit

Honestly this is the kind of thing I recommend people find a good VMware partner in their region who can help with design/implementation etc. If I was’t on my way to Luxor I’d offer to join a call as I’m mildly curious why he feels this is the only way to rapidly accomplish their goals.

Reply

[-]

TightBed8201@reddit

Wild guess? Maybe they dont have enough storage and want to connect some cloud storage? Who knows. I wouldnt do it in any way.

Reply

[-]

lost_signal@reddit

While there are kludge devices for that kinda thing (StorSimple) you should never do this with raw iSCSI/NFS. The only thing I can guess is that they’re running a virtual firewall and you have a DMZ exposed directly , but yeah, you should never have the management interfaces (VMK) exposed directly to the Internet

Reply

[-]

lost_signal@reddit

I gave the first 15 minutes of 3 Cornerstones To Enable A Cyber-Resilient Private Cloud [VCFB1201LV]. Note I was filling in for bob plankers who gave this talk in the US But the session you want is 90 minutes of bob plankers Hardening and Securing VMware Cloud Foundation: A Multi-Layered Approach [VCFT1616LV] Here is the secret GitHub direct link to the videos. https://github.com/lamw/vmware-explore-2024-session-urls/blob/master/vmware-explore-us.md

Reply

[-]

Capable_Tea_001@reddit

>Here is the secret GitHub direct __*secret*__ 🤣🤣

Reply

[-]

lost_signal@reddit

![gif](giphy|3o7TKMxBuO913uWyoU)

Reply

[-]

TriRedditops@reddit

I just want to say that I love that reddit is a place where you can hear things directly from the people working on the topics being asked about. Cheers!

Reply

[-]

lost_signal@reddit

There’s quite a bit of lurking by the tech industry, but Reddit (probably because of how much porn is on here) often gets blocked at peoples offices. You tend to find technical marketing on reddit the most active out of various groups at VMware (probably a legacy of being a remote team, and being the best to engage with questions). There’s even some of the support escalation leads here. Engineers and PMs I suspect gravitate towards Blind.app Product marketing is Facebook for the younger and non-US demographic and LinkedIn for US and leadership. I got recruited to VMware from a Twitter DM. That historically was the best watering hole before the vExpert moved to slack (and now discord). I’ve asked for feature requests from well thought out articulate reddit posts, and even passed on some feedback for recent VVF licensing changes to our PnP people from Reddit posts.

Reply

[-]

touchytypist@reddit

Don't ask why, that could be any BS answer, "because it's better", "because I said so", etc. Ask "**How** will this solve the problem?", then he has to explain it.

Reply

[-]

Middge@reddit

>with an aquatic reinforcement device should do. Thanks man I just woke up my wife with laughter and she is not amused.

Reply

[-]

lost_signal@reddit

I posted this at 2AM. I'm weirdly more jet lagged than my wife right now who managed to snore right through my giggling while posting this.

Reply

[-]

iiThecollector@reddit

Thank goodness for you man, Im an incident responder and this post made me twitch

Reply

[-]

CluelessPentester@reddit

One man's nightmare is another man's job security

Reply

[-]

lost_signal@reddit

Im a storage guy who larps as a security guy when bob has better things to do. Now I will add for IoT type deployments we do have the Keswick/VECO stuff that should negate any case where someone thinks doing this is a good idea.

Reply

[-]

iceph03nix@reddit

That was my question as well, that didn't feel like it was answered. What is the actual goal that putting it directly online solves?

Reply

[-]

lost_signal@reddit

Sounds like someone doesn’t have a VPN? Can we just ship a raspberry Pi out configured with Tailscale/wireguard to make it easy to drop into that remote network? Maybe VDI to a bastion host? Maybe someone doesn’t know about the cheap sku for 2 VPN connections to their firewall.. there’s normally a way to fix this.

Reply

[-]

milkmeink@reddit

Thank you for the laugh in how you explained to say ‘no’. Very much appreciated it!

Reply

[-]

TightBed8201@reddit

Leave.

Reply

[-]

lross78550@reddit

hang it out on the internet we could all use a couple vm's to mine our bitcoin

Reply

[-]

oceanave84@reddit

Put a printer on the Internet in his office. That’s a good way to show why it’s a bad idea to do some things.

Reply

[-]

burdsjm@reddit

I don’t understand what you mean by put it on the internet. All of our host boxes have access to the internet for updates and ntp. Are you saying putting it in the DMZ with no firewall?

Reply

[-]

Phate1989@reddit

He is saying expose esxi web management to public443. I'm not even sure what the use case is...

Reply

[-]

snarlywino@reddit

You sound complicit in all these things you are complaining about. No backups? No updates? How do you sleep at night?

Reply

[-]

fatbergsghost@reddit

To be fair, he does have a backup solution. To be as far away from this mess when it blows up as possible.

Reply

[-]

datec@reddit

Yep... But he's the hero, right???

Reply

[-]

Slight_Manufacturer6@reddit

Naughty… go to your room and think about what you said!

Reply

[-]

frustratedsignup@reddit

What will you do if you have a ransomware incident? No backups or updates to systems, you are 100% going to have a bad day. I couldn't make it much simpler than that. Update your resume - you're going to need it.

Reply

[-]

L3Niflheim@reddit

Go find articles showing the recent ransomware hacks of ESXI being directly on the internet. It was really bad businesses were losing everything.

Reply

[-]

Funkenzutzler@reddit

Imagine you have a big, fancy toy box (your hypervisor) that keeps all your toys safe. Now, think of the toy box being placed right in the middle of a busy street where anyone can walk by and open it. Sure, it looks cool, but there's a problem: some people might want to steal your toys, and the street is full of cars and people who don’t care about your toys - they’re just out to take whatever they can. The thing is, the toy box wasn’t designed to be on the street - it’s meant to be in your house, where you can lock the door and make sure nobody can get in easily. So, if you leave it on the street, even if you lock it, someone could still break in or find a way around the lock. And the more time it stays there, the more likely someone is to figure out how to open it and take your toys. That’s why, even though it seems easier and faster to just leave it out there, it's a really bad idea. You wouldn’t want to risk your toys, and the toy box isn't built to handle being outside in such a dangerous spot. That's why we should put it back inside where it's safe and protected.

Reply

[-]

swamper777@reddit

Just tell him, "If my name will be associated with it, we're going to do it right."

Reply

[-]

cxarra@reddit

"Honeypots are systems on your network that are so hilariously insecure that they attract bad actors so we can identify and block them before they attempt to compromise our actual systems. I'm happy to set up a honeypot, but maybe we shouldn't do it with our actual, live systems and customer data?"

Reply

[-]

sir_mrej@reddit

What's a BMC

Reply

[-]

ixidorecu@reddit

Baseboard management controller. It's what ibm calls it. Dell calls it drac , hp calls it ilo,

Reply

[-]

sir_mrej@reddit

That's super interesting. I know DRAC and ILO. Had never heard of BMC. You can tell what systems I work on and what ones I've never touched lol Thanks!

Reply

[-]

UnknownPh0enix@reddit

1. Get it in writing. Save an offline copy. CYA for *when* something happens. 2. VMWare has had multiple RCE’s reported over the last few years that you can refer to. Having this exposed to the Internet is akin to having a sign on your lawn saying “no security. Check if you don’t believe me.” Hell, RCE be damned. I’ll just bang hard on your door until someone lets me in (brute force credentials). Coming from someone in security, your boss is a moron.

Reply

[-]

frygod@reddit

Hell, there's been at least a couple big vulnerability patches in the last couple months. (I can say this with confidence because we hadn't even finished rolling patches on 50 or so hosts before we had to roll out a second one.)

Reply

[-]

dodexahedron@reddit

💯 And you don't even have to go back years. There are some pretty horrid defects in very recent history, too. And we can bet that will continue to escalate, now that malicious actors have gotten a taste for hypervisor blood to pwn the entire infrastructure, and have built up some experience with doing so, now. And if they get into your vcsa, you're toast for so many reasons, not the least of which are that there are plaintext credentials to things like postgres and other critical components sprayed all over those things, as well as it being a CA trusted by hosts. If your vcsa ever gets compromised in any way, you basically need to start over, everywhere, from scratch - vcsa, esx, vms, all datastores, physical and virtual TPMs cleared...everything. And they don't even need to cryptofuck you for that to be necessary. Virtual access to vcsa is as bad as and in some ways worse than physical access to a physical server.

Reply

[-]

techierealtor@reddit

Save an offline copy for when your whole environment is encrypted and they start looking for a scapegoat when IR starts asking questions. Nice to have a get out of jail free card!

Reply

[-]

Coupe368@reddit

I put a windows server directly on the internet one time. Fresh load, no windows updates, spare public IP assigned directly to the network card with no firewall. It was hacked/compromised by someone/something in a language other than english in less than an hour. That was back in 2003, I can't imagine how bad it is today.

Reply

[-]

Automatic-Win8421@reddit

Lookup Akira ransomware. It happens very fast.

Reply

[-]

Sintek@reddit

Just tell him that putting the hypervisor on the internet WILL push the yearly road map into a 2 year road map.

Reply

[-]

daven1985@reddit

"Thank you Boss. Please confirm in writing you want me to present my ESXi interface (or whatever) to the interview against my recommendation and against known security norms. You will accept any liability for said action and any actions that arise from this. Once I get your approval in writing, I will set it up." If you get a reply go for it... its on his head. Chances are once he realises he is accepting liability it won't happen.

Reply

[-]

Murphy1138@reddit

Why put it on the Internet? It's not clear? If he wants access to it just vpn into the network and fire up the browser....

Reply

[-]

joefleisch@reddit

Good idea. ESXi is battle tested hardened for direct exposure to the internet. /s Make certain OpenSLP is enabled and this is ESXi 6.7 or 7.0 without any patches to prevent the unauthenticated remote code execution (RCE) through SLP. CISA posted some sort of decryption tool for all the idiots that had ESXi management interfaces exposed to the internet. I think the second variant of the ransomware deleted the VMs which saves time trying to decrypt them. Broadcom VMware could have no more vulnerabilities in ESXi 8+ that could result in remote code execution.

Reply

[-]

czj420@reddit

This is taking the safe deposit box outside of the vault and leaving in the sidewalk out front of the bank and expecting it to be secured.

Reply

[-]

NebraskaCoder@reddit

You might want to have good backups... Preferably offline ones. If you have a vcenter, back it up too!

Reply

[-]

JoKoT3@reddit

I can give you 2 very personal reasons, I had multiple esxi exposed on internet over years. * Successfully participated in an DRDoS using an NTP amplification attack (https://nvd.nist.gov/vuln/detail/CVE-2013-5211) * Got cryptolocked (https://www.vmware.com/security/advisories/VMSA-2022-0030.html) And for those who are going to ask why they were exposed, we got them from a hosting provider with no way to unexpose them without paying many more $ to get a full virtual private hosted network. Boss and I agreed that no sensitive data would ever go on these and that anything could be destroyed at any point in time.

Reply

[-]

StaffOfDoom@reddit

Update your resume, check-out and watch it all burn down while you job-hunt on the clock. Bail before the dumpster catches fire.

Reply

[-]

brokensyntax@reddit

As a network and application security type person ;) I present to you these lists; and a "What's your public IP?" Oh nevermind, it's already on Shodan 😈 [A list of reasons not to put your hypervisor online](https://www.cvedetails.com/vulnerability-list/vendor_id-252/product_id-22134/Vmware-Esxi.html) [And another list of reasons not to put yoru hypervisor online](https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=ESXi&search_type=all&isCpeNameSearch=false)

Reply

[-]

kmsaelens@reddit

Time to engage in some r/maliciouscompliance

Reply

[-]

stewbadooba@reddit

That's only half the requirement, make sure your objection is in writing and most importantly, **acknowledged in writing**

Reply

[-]

dodexahedron@reddit

And CC legal. And print it all out so when you get ransomwared you have it immediately available. 😆

Reply

[-]

Golden_Dog_Dad@reddit

I love it when I see people mention "legal" like every IT team has some magical legal team they can reach out to to get their bosses to back down.

Reply

[-]

Hi_Im_Ken_Adams@reddit

Yeah, If a company doesn’t have an InfoSec team what are the chances of them having a dedicated legal team?

Reply

[-]

Wagnaard@reddit

Probably higher than a Infosec team. People can understand lawyers and the need for them. But spending money on someone who tells them not to get hacked?

Reply

[-]

sssRealm@reddit

Pretty good. We have 3 in house attorneys and no dedicated infosec people.

Reply

[-]

dr00pybrainz@reddit

Uh....yeah. I thought this was standard/best practice. At least in my i.t. career it always was. Maybe things have changed in the year I've been out.

Reply

[-]

thegreatcerebral@reddit

20 years and the "legal" team was never contacted about anything I would bring up. That cost $$ to do and so it was RARELY done. We didn't have an in-house legal team, not that large. The Owner and the GM (#1 and #2) basically finalized most decisions.

Reply

[-]

sysadminalt123@reddit

Only time I reached out to legal before was for determining various retention policies since I worked in Finance. Then again it was a small company with basically 2 lawyers being "legal".

Reply

[-]

thegreatcerebral@reddit

LOL... that was the reason I was asking as well. Cyber Insurance annual questionnaire and they were asking about retention policies and I had to ask what we were legally obligated to do. Man oh man they didn't want to answer that.

Reply

[-]

Golden_Dog_Dad@reddit

Exactly. My boss literally yesterday said that he didn't consider contracting work to a third party the same as contracting work to another affiliate who is branded the same, but is a separate legal entity. He's also said that those who have CPA designations (I work in the professional services industry) should inherently be trusted because they wouldn't do anything to jeopardize their CPA membership. There is no legal team here. We have a lawyer, but the only contact I've had with him is when the partners need something for a legal dispute we are involved in.

Reply

[-]

anonymousITCoward@reddit

if it's a small company, the boss is likely the gatekeeper to the "legal department" or what ever lawyer they have on retain...

Reply

[-]

hybrid_muffin@reddit

Cc’ing legal is passive aggressive. BCC them.

Reply

[-]

Expert-Cricket-4447@reddit

Because blind passive aggression is so much more fun!!

Reply

[-]

lpbale0@reddit

And they never see it coming!

Reply

[-]

IceFire909@reddit

We going Active Aggressive boys Add legal in the To: list

Reply

[-]

zipcad@reddit

Do better. Forward it to legal for review, get some edits, then forward the whole thread to boss.

Reply

[-]

Muted-Shake-6245@reddit

Smile and wave

Reply

[-]

Resident-Artichoke85@reddit

Read receipt works.

Reply

[-]

highdiver_2000@reddit

A lawyer will laugh at this evidence. It delivered, doesn't mean read, much less understood the significance. There is a reason why financial planners go through some docs line by line.

Reply

[-]

nighthawke75@reddit

OP will need to pull the entire email (including headers, which will include transaction information), putting it in safe storage, where it'll be backed up automatically in more than two separate locations.

Reply

[-]

thegreatcerebral@reddit

Still not enough. Does not prove the client got it or that it didn't get messed with etc. This is why spammers use those 1 pixel deals where they can watch and if the file is downloaded then they know it was opened and have a valid person there.

Reply

[-]

Coffee4AllFoodGroups@reddit

except besides stopping read-receipts, I also have image loading turned off so that remote 1 pixel image doesn't get triggered.

Reply

[-]

nighthawke75@reddit

If there was a bounce or null route, then any trace done can show it.

Reply

[-]

thegreatcerebral@reddit

But, you have to then assume they logged the trace. I don't know how far you would have to prove. User can always claim they never saw it because outlook did something with it. Totally believable and untraceable.

Reply

[-]

nighthawke75@reddit

Not until the afmin can sit down and run it.

Reply

[-]

Resident-Artichoke85@reddit

Delivery receipt and read receipt are two different things.

Reply

[-]

Whitestrake@reddit

The gold standard CYA is neither delivery nor read receipt, but _understood and approved_ receipt. i.e. a reply email.

Reply

[-]

cosmos7@reddit

No it doesn't.

Reply

[-]

Minute_Foundation_99@reddit

Unreliable as mail clients aren't required to honor them and, in many environments, (such as ours), they can be stripped before being delivered. It's also dubious as to whether those are considered even legally binding.

Reply

[-]

stewbadooba@reddit

I would handle the acknowledgement problem (and add another arroe to my quiver) by designing the solution and sending it off to problem manager and request a particular change window ... ie, I am planning on deploying the attached design at <some convenient time>, can you please give me approval for that .... you may not have that formal of a change process in place now, but this will at least get in writing someone has authorised you to deploy that stupid-ass idea

Reply

[-]

vabello@reddit

Those still exist? My Mail clients are always configured to ignore them.

Reply

[-]

BlackV@reddit

it does not, I block those

Reply

[-]

223454@reddit

\--make sure your objection is in writing Just a small nitpick. I would say "your concerns". It's usually best to avoid looking like a roadblock. It's not that you object to the project (you do, but don't say it out loud), but that you have concerns. Express those concerns in writing and wait for confirmation to proceed anyway.

Reply

[-]

MrCertainly@reddit

If you're in the USA, "having it in writing" doesn't mean a thing when you live in an At-Will country.

Reply

[-]

AtarukA@reddit

Doesn't mean you should give up your protection when you can have some. I'd rather have a mail showing HR why I did it, and how it was his decision going against mine and have a chance than have none. If you like to go naked in the blizzard, that's your own choice.

Reply

[-]

oxidizingremnant@reddit

“Having it in writing” when it comes to something that will cause the company to be hacked means at best you don’t get fired while doing 20 hour days of ransomware recovery for a month.

Reply

[-]

MrCertainly@reddit

At "best". Remember, you're in AWA: At-Will America. They can fire you if they don't like the color of your socks. 99.7% of the population can be terminated at any time, for almost any (or no) reason, without notice, without compensation, and full loss of healthcare. You think that piece of paper "having it in writing" is worth anything more than the piece of paper itself, you're delusional.

Reply

[-]

Det_23324@reddit

I would rather not get fired personally.

Reply

[-]

AtarukA@reddit

Up to you if you prefer having nothing, really.

Reply

[-]

Tatermen@reddit

The good news is that it'll probably get hacked before he has time to setup any real production VMs on it, so data loss will probably be minimal. Unless they use it to jump to something else internally.

Reply

[-]

lost_signal@reddit

Malicious compliance would be putting the host in strict lockdown mode first…

Reply

[-]

dodexahedron@reddit

Lol there ya go. "You said put it on the internet. You didn't say leave it wide open to the... \*checks logs\*... 846295 malicious connections already rejected since it went up an hour ago."

Reply

[-]

VirtualPlate8451@reddit

Also make sure logging is turned on wherever you can. Make the incident responder’s life easier.

Reply

[-]

Resident-Artichoke85@reddit

Exactly. Put an outdated version with actively exploited CVEs and watch the good times roll. Have it in writing that you told your boss insecure it would be to deploy directly to the Internet.

Reply

[-]

dagbrown@reddit

No no. That would be stupid and could be held against you as if you’d performed a malicious act of sabotage directly. Make sure it’s up to date and all of the security patches and stuff are applied. It’ll still get owned but you at least have plausible deniability about it.

Reply

[-]

Resident-Artichoke85@reddit

How are they going to prove it? System is hacked and offline. Time to rebuild it, but first, let's disconnect and keep it disconnected from the Internet.

Reply

[-]

Cladex@reddit

I would also say borderline gross misconduct by not applying security practices such as patching etc etc

Reply

[-]

Resident-Artichoke85@reddit

"I would say this say borderline gross misconduct by".... connecting it directly to the Internet. This is just speeding up what is going to happen inevitably. The sooner it gets hacked the sooner it will be stood up in a proper location behind a firewall and on a restricted management VLAN.

Reply

[-]

saucyeggnchee@reddit

Yup, ask for it in email, respond with “as we discussed I have fears about yada yada but we will begin implementing at your request” and then start spamming that resume because there’s no fucking way I would want to stick around to clean up that dumb fuck’s mess.

Reply

[-]

StMaartenforme@reddit

What's that IP again?

Reply

[-]

schwaaaaaaaa@reddit

I don't think explaining it in simple terms will make a difference. Your boss has already established that they know everything about everything. I would make it simple. I would tell your boss (via email) that complying with their request will create an unnecessary risk which far outweighs any benefit to the company, and that you respectfully decline - BUT, that you will comply with the request if your boss replies that he/she understands the risk, and wants you to do it anyway. I would definitely BCC the entire conversation to yourself (your personal email) so you can reference it if needed.

Reply

[-]

Fresh_Dog4602@reddit

Sooo how come you guys don't have a firewall with any kind of vpn options?

Reply

[-]

VariousLawyer4183@reddit

https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-vmware-vcenter-server-now-exploited-in-attacks/ This was published 9 days ago and won't be the last security issue. Why do banks build their vaults within the building? Because it takes longer to break multiple doors.

Reply

[-]

MasterPay1020@reddit

Somebody in my org put some unpatched Windows Servers live on the Internet with RDP inbound permitted from all sources. 6 months later somebody found it and remediated, and by some miracle neither was compromised or showed signs of brute force attempts during those 6 months. If you believe, miracles can happen!

Reply

[-]

way__north@reddit

for 'remediation', I'd nuke them

Reply

[-]

Anxious-Whole-5883@reddit

They all thought it was a honeypot.

Reply

[-]

DrunkenNinja45@reddit

Get it in writing before you do it

Reply

[-]

No_Anywhere6700@reddit

Get it in writing that you expressed concern and you were over ruled, and then do it anyway. Not your business, not your problem.

Reply

[-]

Kwantem@reddit

I am to be vonderink what IP is for server? Ve can test for you und make sure all is safe for you comrade.

Reply

[-]

digitalnative00@reddit

vpn is not a security tool. at best it's a geolocation tool.

Reply

[-]

makesPeopleDissapear@reddit

We will take our precious server room and move it outside so everyone can admire how nicely we have set it up. Then we build a cute little fence around it, for security? Then we put the most amazing things on our servers and broadcast them to the whole neighbourhood. They're going to love us. Good publicity and less work for us /s

Reply

[-]

serverhorror@reddit

No need for explanations. Have him, his boss, HR, legal and your lawyer in the room and hand a signed document over to you that this is against your professional advice. Like, actual pen and paper that they sign in front of you.

Reply

[-]

buy_chocolate_bars@reddit

Lol this MF lives in the movies

Reply

[-]

serverhorror@reddit

That MF has applied said technique. It works, the point where you ... _threaten_ ... people with the ask for a signature is, almost always when you know that you don't have to do it. You know you fucked up when they say: > Sure, gimme that pen!

Reply

[-]

buy_chocolate_bars@reddit

So you call your boss's boss & HR when you disagree? Sure buddy you've done that.

Reply

[-]

serverhorror@reddit

You read into that what you want. We're grown ups and you need to decide for yourself how much of this is reddit exaggeration and how much should be applied while in the job.

Reply

[-]

enderandrew42@reddit

I'm confused why your boss wants to make something internet facing because of deadlines. How does that make work faster? Go to your boss' boss and then explain the risk of ransomware and how your entire company can basically get shut down by a poor security posture. Explain that you will do what you are told like a dutiful employee, but you think there is significant risk involved and you just want to make sure it is called out.

Reply

[-]

swissthoemu@reddit

GTFO.

Reply

[-]

Cotford@reddit

Get it in writing, acknowledge it in writing, make a hard copy, keep that at home. Do what he wants, sit back and enjoy when it gets nuked from orbit and when the solids hits the air conditioning whip out the “I told you so piece of paper.” Make sure that’s a photocopy just in case

Reply

[-]

thortgot@reddit

Your environment doesn't sound best practice by any stretch, but having ESXi available through a VPN is a very normal scenario. Monitoring is trivial to configure and you can do so for literally $0 if you have a spare desktop sitting around. From PRTG to Zabbix. Pick one and get to work. When you say "we don't have a backup system", I assume you mean you don't have a duplicate live environment. If you literally don't have backups, stop everything else you are doing and go petition to get this done.

Reply

[-]

TEverettReynolds@reddit

> Help me explain like he’s 5 years old or maybe a 1st year computer science student. Why bother? Its such a bad idea you are just wasting your time and your career there. Seriously, what are you waiting for? You can't change stupid. You can't learn anything from this boss, so its time to move on. Like yesterday. You are wasting your future potential. Go find a company that respects you, your skills, and your work ethic. You'll probably get a nice raise, too.

Reply

[-]

TEverettReynolds@reddit

Time to update your resume ASAP. Do not walk, RUN. It would be best if you had a job lined up, so the same day you put this ESXi on the Internet is you last day before you start your new job.

Reply

[-]

jfernandezr76@reddit

You shouldn't do that or the sandman will come.

Reply

[-]

TanisMaj@reddit

All the other sysadmins have added plenty. All I have to add to the conversation is: WOW!! I feel you though, what a "maroon!" The fact he had to add, "I was in IT and know what I'm asking" tells me he was NEVER in IT or, at least, never in IT long enough to have to come out from under some idiotic management blunder. You could always send em' my way. I can tell him the story about an IT Manager (me) who HIGHLY suggested we put in place security and was told it was too expensive. I even had a Darktrace appliance sit next to my desk for 4 months before I was asked to, "please return." Fast forward about a year and a half later, after paying millions in ransom and hundreds of hours in data recovery (we're STILL recovering) because one of the OWNERS decided it might be cool to click on a phishing link and ka-blooey! Of course, because he was one of the OWNERS, he also had full Domain Admin access with his account, even after I told him it was not prudent and vehemently protested that it was against all "wise" security practices. I can always tell him THAT story.

Reply

[-]

Prestigious_Wall529@reddit

Funny you mentioned PaloAlto https://www.helpnetsecurity.com/2024/11/26/vulnerabilities-corporate-vpn-clients-cve-2024-5921-cve-2024-29014/ Amongst other recent showstopper vulnerabilities.

Reply

[-]

BK_Rich@reddit

Embarrassing

Reply

[-]

Plastic_Helicopter79@reddit

Several years ago I had ESXi directly exposed to the Internet because I rent an aging Supermicro blade server in a datacenter running headless, which makes accessing VMs via a GUI an utter pain in the ass on Ubuntu. I was not doing anything important, just running Minecraft, Factorio, and Space Engineers. Never had a problem with the ESXi web login being directly exposed on the public Internet, but went back to Ubuntu eventually for other reasons. This was before log4j was discovered, through which we likely would have been pwnd if it had been still running that way at the time.

Reply

[-]

Chno-networking@reddit

Start making an evidence folder of all of the written messages stating how bad of an idea this is and then include research on why it is such a bad idea. Provide all of that to your boss and then save it all for when the damage begins.

Reply

[-]

say592@reddit

"Our cyber security insurance likely wont cover this configuration when we get hacked. Can you put it in writing that I have advised against this?"

Reply

[-]

Achilles_Buffalo@reddit

This is known as an RGE - Resume Generating Event. I strongly suggest you look for other employment as quickly as you can and GTFO. In your exit interview, explain to HR that your main reason for leaving is that your former boss is incompetent and putting the safety of your entire company (and all of the sensitive PII contained in the HR databases) at severe risk of compromise. Wave to him as you leave.

Reply

[-]

parrothd69@reddit

Stop with the technical reasons. Just casually mention that you read on reddit that cyber security insurers are always looking for ways not to pay out claims and this would probably be a reason for them to deny a claim.

Reply

[-]

adamixa1@reddit

what do you mean by putting esxi on the internet? opening the port? console? the whole vm?

Reply

[-]

standard_user937@reddit (OP)

Install openvpn on the management interface directly on a static IP.

Reply

[-]

Natirs@reddit

Complying to this is becoming the insider threat your boss already is. You already connect to the VPN to access internal resources such as your hypervisor and if not, that is the approach you need to take. There is no reason why you would remove that layer of security and expose it to the internet. There should be policies or procedures in place that govern what needs to sit behind the VPN or an ACL. This would be one of the few times I would explain in detail but plain terms to someone higher up or to HR. This is one of those requests that is not only unreasonable, but also a big enough security risk that should warrant someone needs to be reprimanded or fired over. It's unreasonable because you can already connect to your hypervisor on-site or via the VPN. Your boss is either a careless insider or a collaborator looking to do your company harm and you will unfortunately be complicit in this if you follow those orders.

Reply

[-]

BarracudaDefiant4702@reddit

Not a good idea. You could probably tweak the built in firewall and limit what IPs can connect to it, but a VPN in a VM running on the host doesn't require much resources and provides a lot better security and logging.

Reply

[-]

NerdWhoLikesTrees@reddit

To what? Manage it remotely??

Reply

[-]

socral_@reddit

I'm curious about this as well. Only practiced with Hypervisor but exposing it on the internet can mean a lot of things. Also is good to know what not to do with the Hypervisor, I'm assuming the best practices is to keep it Local network only behind some firewall rules (as the basics I'm assuming).

Reply

[-]

Talesfromthesysadmin@reddit

Your boss sounds like someone who would open port 3389 on the internet

Reply

[-]

standard_user937@reddit (OP)

He once asked me what a kernel was, but he worked in IT (and must have been good at his last job) so he must know all of IT right?

Reply

[-]

Superb_Raccoon@reddit

"Well, it outranks a Major, but not a Brigadier General."

Reply

[-]

Sabbest@reddit

It can also be used for popcorn.

Reply

[-]

Beefcrustycurtains@reddit

I'm so confused. Why would this really insecure thing help at all? Just use a VPN when outside the office..

Reply

[-]

countsachot@reddit

Well I'm a consultant, but when a client insists on this type of thing, I ask for it written in email. Then respnd with a detailed response with my concerns. When I get the inevitable "we don't care" I'll respnd very well and do it. But seriously, it's fine, I can use a free hypervisor go for it.

Reply

[-]

cydex0@reddit

Didn't you see the September esxi and vCenter cve being exploited by various ransomware groups.. have you checked the race vulns exsi has just this year alone? Yeah get it in writing and save a copy offline. You will Need it when all infra gets ransomwared

Reply

[-]

Faux_Grey@reddit

But.. what purpose would it serve? Are you TRYING to get breached?

Reply

[-]

throwaway0000012132@reddit

Time to write those 3 envelopes...

Reply

[-]

GelatinousSalsa@reddit

Make him specify it in writing and have him sign it. Then do what he wants. Its not your machine, or your money being wasted when you have to fix it.

Reply

[-]

chickentenders54@reddit

I've seen many of Vmwares critical updates to address issues for hypervisors exposed directly to the internet. I always wondered who actually did this.

Reply

[-]

AtarukA@reddit

The one thing I would clarify with him, is whether he wants to be able to connect to the ESXi directly from the outside, or if he wants it to access the internet in general. If he wants it acessibly directly from the outside, then malicious compliance time with mail warning him of the dangers.

Reply

[-]

PAiN_Magnet@reddit

"I've worked in IT".... FFS..

Reply

[-]

r0lski@reddit

There might be a reason they don't do that anymore.

Reply

[-]

DowntownOil6232@reddit

I’m a bit confused by the wording and intent here. He wants you to open ports on your router to forward directly to the Esxi host?

Reply

[-]

Bright_Arm8782@reddit

Put this through change control as a high risk change, let someone else kill it.

Reply

[-]

recitegod@reddit

Please dont frame this teachable moment as incompetence, eventhough it is, he will never learn, no snarks, no smile, your life is on the line. There is nothing worse than being correct in the world of business.

Reply

[-]

Consistent_Memory758@reddit

Before deployment, make a plan. Write that plan Dow , discuss with the team and make the manager sign for it. If choices were made because of requirements by your manager, make a note in the plan why you did it.

Reply

[-]

attathomeguy@reddit

It’s called get it in writing. Reply back with your it’s not a good idea because it could get hacked and attach some articles about VMware esxi getting breached and if he responds to do it anyways you do it and you have your ass covered

Reply

[-]

Frosty-Magazine-917@reddit

Hello Op, OK, reading all the answers to the comments, it is obviously not as good a setup as a separate firewall, but here goes how you could do it. Setup a virtual firewall. This virtual firewall will have multiple virtual NICs. For the WAN, you setup a vSwitch with the only a single physical NIC on it. No other VM ports or vmkernel ports should be on this virtual switch besides the firewalls virtual WAN port. Then you setup another vSwitch with the other internal NICs of the virtual firewall attached. You can use vlans to separate out your traffic so that each vlan goes to a specific port on the virtual firewall. Using vlans like this it can talk to the rest of your network and the other VMs as separate network segments / subnets and put proper firewall policies blocking traffic so that you can't move between segments easily. You create a segment / vlan called VPN and install a wireguard / openvpn VM or other such thing here. This is what I would do if I had to and was in your shoes Its not perfect, but as long as the vmkernel ports for management are NOT on the wan port and separated from the other virtual machines traffic besides the firewall, it is very similar to a real firewall setup. If you really want to you can even directly pass the WAN NIC into the virtual firewall, by passing the virtual switch entirely, but that is not something I would do. Additionally, you could add something passively listening to all traffic on the WAN side so that you know when people are trying to get in. ... just today I was assisting a company whose VMs and ESXi host got hit with ransomeware and they killed the backups too so NO, this isn't a great idea, but that company wasn't setup as securely as I am recommending above either.

Reply

[-]

Isord@reddit

What in the world is he trying to do exactly? Your best bet is if you can give an alternative that you can do roughly as quickly. And I struggle to see how putting a hypervisor is somehow easier than anything else you'd do with it?

Reply

[-]

Nightslashs@reddit

Lack of a vpn I would guess

Reply

[-]

BigSlug10@reddit

I mean even just use a Jumpbox for access at least. WTH

Reply

[-]

Fast_Report3029@reddit

Spin up a WireGuard instance in the hypervisor lmao

Reply

[-]

Apprehensive_Ad5398@reddit

Exactly this question.

Reply

[-]

datec@reddit

Your edit makes it sound like he wants access to it through a VPN. What exactly is the problem with this??? It is not the same as putting it directly on the internet. It seems like you don't know what you're doing and/or don't have enough information about what they're asking you to do. Either way this post is pure trash.

Reply

[-]

standard_user937@reddit (OP)

We don’t update, even openvpn has authentication bypass vulnerabilities. And how hard is it to put a router in front of it, and then the networking team is responsible for the first layer of security??

Reply

[-]

different_tan@reddit

This is really basic stuff.

Reply

[-]

narcissisadmin@reddit

Your boss wants the ESXi management available externally? Seriously? Luckily you won't have to explain anything, just set it up as directed and put some dummy VMs on it. It will surely be fucked by the weekend.

Reply

[-]

standard_user937@reddit (OP)

If you don’t know you have been hacked (because you don’t monitor), do you really know if you are compromised :). If it’s not blatantly obvious I am referencing “if a tree falls in the forest, but nobody hears it, did it really happen?” The answer is yes.

Reply

[-]

different_tan@reddit

Why the fuck can’t he vpn to your internal network for this instead.

Reply

[-]

BlackV@reddit

OP has not clarified nothing, OP might be reading request entirely wrong

Reply

[-]

RBeck@reddit

So like a Honeypot?

Reply

[-]

poop_magoo@reddit

This went wrong because you didn't ask the obvious questions. Why do you want to do this? What exactly is it you think needs changed? What bottleneck would we be eliminating by doing this? Taking your value as an IT professional involves being able to cut through the noise, and extract the important information. Stop assuming people are idiots when they say something that seems stupid at first glance. They are trying to communicate something to you, and maybe aren't using the right words, or are focusing on the wrong thing. Having the ability to be a bridge/translator is just as valuable as the technical skills.

Reply

[-]

x-Mowens-x@reddit

# "Boss, here's why putting the hypervisor directly on the internet is like leaving your front door wide open with a 'Please Rob Me' sign." 1. **Imagine Your House with No Locks:** * The hypervisor (ESXi) is the foundation that manages all your servers. Exposing it to the internet is like leaving your house without locks or doors. * Even the best alarm system won’t help if you don’t secure the entry points. Hackers actively scan for systems like ESXi on the internet because they know they’re juicy targets. 2. **Single Point of Failure:** * If a hacker gains access to the hypervisor, they control **everything** running on it. It’s like handing over your bank PIN and wallet—they have access to the whole kingdom. 3. **Known Vulnerabilities:** * ESXi has vulnerabilities that hackers already know about. VMware patches these, but if you're exposed, it’s only a matter of time before an attacker exploits one. * Security vendors (like Cisco and Palo Alto) dedicate entire teams to secure their devices, and even they struggle to fend off attacks. We’re asking for trouble with a two-person IT team. 4. **No Defense in Depth:** * Good security uses layers (like firewalls, VPNs, monitoring, and limited access). Putting the hypervisor on the internet skips all of these layers, leaving it completely exposed. * Even if we *think* we’re monitoring it, the moment we miss something, the damage is already done. 5. **Real Consequences:** * Hackers could: * Deploy ransomware to shut down all our servers. * Steal sensitive company or customer data. * Use our infrastructure as a launchpad for attacks on others, which could lead to legal and reputational damage. * Recovery from such an attack could cost **millions** and months of downtime.

Reply

[-]

Superb_Raccoon@reddit

You got a daughter? You wouldn't put her directly on the internet either.

Reply

[-]

x-Mowens-x@reddit

Here I am, being all thoughtful... and here you are... being awesome.

Reply

[-]

Superb_Raccoon@reddit

Sometimes you just gotta go for the dick punch.

Reply

[-]

Bratwurst1981@reddit

You are losing the benefit of all the volunteer administration help you can get if you don’t put on the internet. You will get free software. Open your mind.

Reply

[-]

r3rg54@reddit

My manager put a pc outside the firewall for a support team once and it lasted about a month before they could not even access it anymore.

Reply

[-]

Some_Troll_Shaman@reddit

Engage whoever is responsible for your cyber insurance, your SOC and your cyber security team. It is a bad idea because those interfaces are not and never have been designed and tested for open internet exposure.

Reply

[-]

darklightedge@reddit

Welcome to the wonderful world of ransomware.

Reply

[-]

Danoga_Poe@reddit

Yea, document everything and let him deal with the bulletin when it happens

Reply

[-]

BlackV@reddit

You never gave us any details, so we don't know, what put the host on the internet means to you maybe you should clarify to your boss, what they actually mean by put the host on the internet it might mean something different Cause pitting a nic for guests on the internet/dmz is a far different story to the management adapter

Reply

[-]

datec@reddit

Based on their edit, it sounds like they want access to manage VMware through a VPN. Then he goes on to say "well openVPN has auth bypass vulnerabilities in it too..." And talks about putting a router in front of it... This is a troll post...

Reply

[-]

BlackV@reddit

Oh I didn't see that

Reply

[-]

Secret_Account07@reddit

I live in VMware. Full-time. This is dumb. Also, what’s the benefit? It’s not that hard to setup infra to provide access to internal….like I don’t get it. Bad actors scan the internet looking for these types of things.

Reply

[-]

standard_user937@reddit (OP)

I don’t understand it either.

Reply

[-]

Secret_Account07@reddit

What’s his reasoning?

Reply

[-]

standard_user937@reddit (OP)

It gets a lot worse than just backups…

Reply

[-]

Secret_Account07@reddit

Oh no 😬

Reply

[-]

chillmanstr8@reddit

{generated by ChatGPT}: • Imagine a treasure chest (the hypervisor) that holds all the keys to your kingdom (your virtual machines). • If you leave it outside your house (directly on the internet) without any guards (firewalls, VPNs, etc.), thieves (hackers) will break into it. • It’s not about if they will break in—it’s about when. Hackers are constantly looking for unguarded treasure chests.

Reply

[-]

Superb_Raccoon@reddit

"See? Even a computer is smarter than you."

Reply

[-]

DanHalen_phd@reddit

What exactly does he hope to achieve by doing this?

Reply

[-]

Superb_Raccoon@reddit

World peace.

Reply

[-]

LopsidedPotential711@reddit

Had a CEO turn his back on me when I pointed out that put a dozen Windows machines with hard coded public IPs on the internet was a bad idea. "Talk to your manager." Fucker never even officially said that I would be reporting to that new dude. So two slaps in one go. CYA.

Reply

[-]

Superb_Raccoon@reddit

"This is my 2 weeks notice."

Reply

[-]

aeron_wolfe@reddit

tell him you want your objections noted in the ship's log.

Reply

[-]

Superb_Raccoon@reddit

Captian's log, Stardate 1d10t...

Reply

[-]

HoosierLarry@reddit

This what’s wrong with the corporate world today. Fuck that asshole. He should be put in charge of picking up dog shit at the park. You’re going to catch hell when it gets compromised. If the blowback is serious enough you’ll both be fired. Sharpen your resume and start job hunting now.

Reply

[-]

Expensive_Plant_9530@reddit

What exactly is he trying to accomplish? Are you missing the on-prem server hardware to spin up your own ESXi environment locally? Is there some concern with the budget or parts delivery? Or am I misunderstanding his intentions and he wants to expose your on-premises ESXi host to the internet? If so, for what reason?

Reply

[-]

RoundFood@reddit

To play devil's advocate a bit, if he wants to put your hypervisor management behind a firewall and restrict traffic to only whitelisted addresses you'll probably be fine. I'd still hate it, you'd be one misconfigured firewall rule away from disaster. Exposing ESXi is so much worse than RDP. It may be the worst thing to expose. There's constant CVEs and if someone compromises your hypervisor they've compromised everything on it as well, for most orgs that'd be all their VMs including their tier 0's.

Reply

[-]

Jess_S13@reddit

Well beyond the obvious it's a horrible idea to have an appliance have direct internet access you are likely to have another issue depending on what ports you expose. I'm assuming you at least need 443 for UI/PowerCLI, and they may want you to open ssh, either way any scanner is going to be able to detect the system and can flood it with root login attempts, which you can either leave up and watch the system get loaded with hundreds of wrong logins till they find the PW or likely hits perf issues from just trying to manage the flood of bad logins, or set a failed PW limit and then root gets locked out, neither of which are great. You could setup the interface to have an IP whitelist but at that point you might as well keep it internal.

Reply

[-]

monsieurR0b0@reddit

You can expose VMs to the internet via a dedicated virtual switch with physical nics a dmz WITHOUT having the esxi management network exposed to the internet.

Reply

[-]

BarracudaDefiant4702@reddit

If you don't bind any IPs on the host, but you create a public IP and private IP subnets and connect a VPN VM server (preferably wireguard, although openvpn would work too) it can be done securely. No need for an external box besides redundancy.

Reply

[-]

matthegr@reddit

Your network team, assuming you aren't on it, should put a stop to this as soon as you request this craziness. Give them a heads up and let them be the ones that say no.

Reply

[-]

standard_user937@reddit (OP)

Ya but unfortunately why I am on effectively a team of 2, my networking team is effectively a team of one… (and historically we have been allowed to do this, so why not continue, 20 years later..)

Reply

[-]

matthegr@reddit

Scary. I would highly recommend finding a better place of employment.

Reply

[-]

CharcoalGreyWolf@reddit

I bet you can find a YouTube video of how quickly a server directly exposed goes down in flames… But yes, this will be a resume-altering event for someone. Make sure it isn’t you.

Reply

[-]

Neratyr@reddit

determine exactly what he is asking and then explain, in writing that you object because of risk. Then get it in writing that he understands, and wants you to proceed anyway. Tell him simply that this is because you'll do whatever you are paid to and that you don't want any negative impacts such as downtime to be blamed upon you and that this situation is well outside of your professional risk tolerance you apply consistently to the duties the organization has tasked you with. As far as how to have the conversation, you want to calmly ask how much downtime is justified, or how much re-tasking of your time is justified. You dont say it like that, thats just how I'm saying it here briefly to you. Be polite and political about it. And again, get it all in writing. Realistically in a best case you dont get your ego or emotions involved. You work smarter not harder by covering your ass. If the request is demonstrably absurd then may consider involving someone else, but you had better be right because if he wins their opinion and you are still told to do it anyway and there isn't downtime or noticeable labor cost then you will look like the bad guy. If shit hits the fan, you want a paper trail of you reasonably calmly and professionally informing your boss of the risks involved, reiterating, then double checking one last time prior to taking his ill-advised action. This sucks to have to admit this but realistically by professional IT standards you can disregard a lot and not necessarily impact a companys bottom line. For that reason you wanna be calm cool and collected with warnings and documentation thereof. Otherwise non-IT people will be very quick to label you as crying wolf and disregard your warnings even more. Do not forget, if the pain experienced isn't too directly correlated to the cause then the association is often lost. This can often by merely by time.

Reply

[-]

JazzlikeSurround6612@reddit

Jesus.

Reply

[-]

standard_user937@reddit (OP)

You don’t even know the half of it, not even kidding.

Reply

[-]

redtollman@reddit

Where on any roadmap is “publish the hypervisor to the world”?

Reply

[-]

highdiver_2000@reddit

There is only 1 thing that you put on the Internet. It is called the firewall. Everything else behind.

Reply

[-]

standard_user937@reddit (OP)

But we have a false sense of security because an internal application we have has been on the internet (unpatched) for 14 years and we have never found it to be compromised before. So having things directly on the internet is fine, right. ![gif](giphy|6yRVg0HWzgS88)

Reply

[-]

InterDave@reddit

Get it in writing. If he won't email it to you, email the details to him, of what he's asking you to do and don't do it unless he confirms - in writing. Then forward those emails to yourself at an offsite account AND print them.

Reply

[-]

geekworking@reddit

Why? Seriously, why? Have you no network team? Throw anything in front of it. A jump box, vpn, a fucking home router, or at the very least firewall it to only be accessed from your trusted network.

Reply

[-]

standard_user937@reddit (OP)

No we do

Reply

[-]

Obvious-Ad-3500@reddit

What in the world is the timeline that they can't wait for a nat or forward or whatever...

Reply

[-]

6Saint6Cyber6@reddit

Just email him the details of what he wants you to do, along with the reasons you gave with a “I know you have dismissed the following concerns I raised, but wanted to reiterate them here” and copy legal and the CISO on the email. If he replies to and takes them off, reply and put them back on. Repeat until he or you gets fired.

Reply

[-]

Dank_sniggity@reddit

Did this once, locked out the admin account almost instantly from attempts. You’ll be fine if you firewalls/acl source addresses. Probably….

Reply

[-]

Daneyn@reddit

I guess it really depends on WHAT data they are keeping on the hypervisor and the VMs it's running. If it's "internal" or company secret stuff... Assume it will be out in the open fairly quick. If it's customer facing data... again, assume it will be out in the open fairly quick. If it's general pubic knowledge that's on the website anyways? is it the end of the world? it's public knowledge anyways in theory. 2 of the 3 scenarios seem like TERRIBLE ideas. Last one, not so much. but it's also depending on if your website likes being broken into. But what do I know.

Reply

[-]

standard_user937@reddit (OP)

Very good point, and if it was just public knowledge on this host I wouldn’t have a problem, but it definitely fall in the 2/3 scenarios you described.

Reply

[-]

jdptechnc@reddit

You are not going to win an argument with this moron. Get it in writing. Make sure you have good backups of your environment. Comply with the mandate. Go on PTO for two weeks and turn off your phone.

Reply

[-]

Jayhawker_Pilot@reddit

Put it out there with a couple of VM's. Nothing else. And watch for a few days. You will be owned within 48 hours. Do that and show your boss on why it's a bad idea.

Reply

[-]

william_tate@reddit

Don’t be chicken, do it. Just make sure you have your bosses go ahead in writing. And print it out. But yeah, don’t be chicken.

Reply

[-]

pr1ntf@reddit

Get the request in writing, save a copy. Do the thing. Let their superior know you're doing it and that's its a bad idea. Also, start working on that resume.

Reply

[-]

Absolute_Bob@reddit

So he want an inbound firewall rule allowing a connection to it from Any? Does he want it restricted to a couple of trusted addresses? Does he want to assign one of your external addresses directly to a NIC on the host? One of those I wouldn't like a whole lot but might possibly tolerate if it's somehow the least bad option. The others are just categorically bad under any realistic scenario.

Reply

[-]

Bleglord@reddit

Plan for the DR scenario now, get in writing to CYA and prepare 3 envelopes

Reply

[-]

grouchy-woodcock@reddit

This isn't an argument you can win. If you don't do it, you create an enemy. If you can talk him out of it, you create an enemy. If you go around him (his boss or his boss's boss), you create an enemy. Personally, I would try option 3, go to his boss. Best case scenario, you get a new boss. But whatever you choose, get your resume ready. Good luck.

Reply

[-]

zeetree137@reddit

Masscan can hit the entire Internet in a few minutes. I look forward to seeing your system on shodan.

Reply

[-]

Burgergold@reddit

Start looking for another job

Reply

[-]

gsmitheidw1@reddit

May as well, once payroll has been encrypted and held to random for some BTC you're effectively working for free anyway

Reply

[-]

Otherwise-Ad-8111@reddit

[https://www.youtube.com/watch?v=2PxcDyfKV90](https://www.youtube.com/watch?v=2PxcDyfKV90)

Reply

[-]

Hesiodix@reddit

![gif](giphy|yYDGY2JX9aIe29FzS8|downsized)

Reply

[-]

BigBobFro@reddit

Me to 5y old: dont fucking do it or there wont be christmas for you ever again. Word of advice: Get his request in writing, with your objection, and his “i dont care” response. If you have an in with his boss, use it. Start finding a new job while you do what he asks.

Reply

[-]

elpollodiablox@reddit

Need some better background on what he is trying to achieve and how he hopes to achieve it in this way before giving any specific advice.

Reply

[-]

goishen@reddit

Get everything in writing, including your strenuous objections, and then put it on the internet. When you get hacked, you can say, "I told you so..." to HR.

Reply

[-]

sonicc_boom@reddit

![gif](giphy|DekxoPi2fT9g4)

Reply

[-]

00001000U@reddit

Do not.

Reply

[-]

VarmintLP@reddit

OP? Are you in a position where you can risk losing your job? If so, let the shit hit the fan. Make sure your boss confirms that decission to you in writting via email or something. Then store that in a safe place where it cannot be destroyed or deleted. USB stick or somewhere at home. Then do what your boss says and let the shit hit the fan hard and make it clear that it's the decission if your boss and you argued your case to avoid the situation that is going to happen because of it. I bet he also want you to use a password like supersecure123abc. Or something stupid like that

Reply

[-]

sleestakarmy@reddit

Like 10 years ago, Bastion / Jumpboxes were the standard but not anymore.

Reply

[-]

iamLisppy@reddit

Get the request in writing, with them signing off on it, and make yourself a copy to CYA.

Reply

[-]

SAL10000@reddit

Yea I second what another person said, get it in writing with as much detail as possible about the exact requirements and details. Make him explain it and save mutiple copies of the correspondence. I would go as far to mention it again after he repliies: "And just to confirm, you want me to put an ESXi server on the internet outside of our security measures that protect our network?"

Reply

[-]

hurkwurk@reddit

I wonder, once the network is setup, will you be able to complete anything else before it's jacked or not?

Reply

[-]

chaosphere_mk@reddit

If he said, "I've worked in IT..." then I would seriously question that. Nobody in their right mind would ever suggest this. Personally I would fight like hell to prevent this, and if he makes you do it anyway, get those instructions in an email, and go to HR and just say you want to document this on your file just in case anything happens.

Reply

[-]

accidentalciso@reddit

If you have made your case and been overridden, make sure that you get everything in writing for this request and any change approvals. You will want every email, ticket, etc… to cover your butt when that box gets pwned. Make sure that your assessment of the risk is included. Your manager is managing to optics, hoping that catching up on the roadmap will make them look better. Unfortunately, this is likely going to be a resume generating event for them.

Reply

[-]

alpha417@reddit

r/maliciouscompliance gets you a new boss.

Reply

[-]

ChampionshipComplex@reddit

There are literally hundreds of vulnerabilities discovered in ESXi. One hundred and fourteen listen in this site. We had one just recently in the last 6 weeks, that caused our org to issue an emergency alert to patch all of our ESX instances, because of a massive vulnerability and stop all of our other work (and none of our instances are on the Internet). I mean the screen shot below which includes just some of them, shows two that had known exploits where hackers were targeting ESX instances, and breaching them - the one from June was actively used in ransomware attacks that breached one of our sister companies - and again they were not even Internet facing. [Vmware Esxi security vulnerabilities, CVEs, versions and CVE reports](https://www.cvedetails.com/product/22134/Vmware-Esxi.html?vendor_id=252) https://preview.redd.it/idd1zc604c3e1.png?width=1149&format=png&auto=webp&s=033bf9cde6f94182f8bc4aee2db1cff8e0b0c2fb

Reply

[-]

theoriginalzads@reddit

Install ESXi, connect it to the internet. As soon as you do pretend you can’t access it anymore and it must have been hacked already. Throw up a VM with a bitcoin miner for full effect. There’s some seriously brain dead requests out there.

Reply

[-]

SensitiveFrosting13@reddit

Enjoy the ransomware!

Reply

[-]

dean771@reddit

Its ok, you might not get hacked

Reply

[-]

failedTec@reddit

I don’t have the answer but, RemindMe! 12 hours

Reply

[-]

OneEyedC4t@reddit

Because when it gets hacked, all that productivity will likely disappear real quick

Reply