This section is focused on the security of Avi Load Balancer Service Engines and Controllers.

VMware strives to ensure the highest level of security, adhering to rigorous testing and validation standards. Avi Load Balancer includes numerous security-related features to ensure the integrity of the Avi Load Balancer system and the applications and services it protects.

Industry Validation

Many of the largest and most trusted brands on the Internet have subjected Avi Load Balancer to their own testing or testing by third-party companies such as Qualys and Rapid7. This continuous testing ensures that, in addition to the proven success of Avi Load Balancer in public and private networks, it has been thoroughly vetted by known industry security leaders.

The following are a few examples of web UI and other attack vectors tested through external penetration testing:

  • SQL injection

  • Cross site request forgery (CSRF)

  • Cross site scripting (XSS)

  • Arbitrary code execution

  • Credential disclosure

  • Clickjacking

  • Improper cookie settings

  • Password protection through PBKDF2

  • Encryption of SSL certificate’s private keys

  • Role based access control

  • Strong output validation to guard against disclosure of sensitive fields such as passwords, export of keys

Patching Security Issues

Despite the best attempts to proactively resolve any potential threat before the code release, it is essential to ensure a solid plan of action if a security hole is discovered in customer deployed software.

VMware strongly recommends key administrators subscribe to Avi Load Balancer's mailing list. Security alerts are proactively sent to customers to notify them if an issue has been found and the potential mitigation required. Subscribe through VMware customer portal. It also publishes responses to Common Vulnerabilities and Exposures (CVEs) of note, which include known vulnerabilities in Avi Load Balancer or software used by it, such as SSL and Linux. Avi Load Balancer may also publish CVE responses to issues that do not impact Avi Load Balancer to inform our customers that they are protected. These CVEs are posted to the Avi Load Balancer documentation site but not sent proactively through email alerts.

See also the following guides:

Hardening Avi Load Balancer

With a basic deployment of Avi Load Balancer, the system is secured and reasonably locked down. However, many administrators may wish to customize the security posture or tighten policies regarding who can access Avi Load Balancer. VMware strongly recommends thoroughly reviewing the choices for securing Avi Load Balancer, which is essential to guarantee its security in production environments where the potential exposure to malicious attacks is more severe.

See the following guides for more information: