The virtual networking layer includes virtual network adapters, virtual switches, distributed virtual switches, and ports and port groups. ESXi relies on the virtual networking layer to support communications between virtual machines and their users. In addition, ESXi uses the virtual networking layer to communicate with iSCSI SANs, NAS storage, and so forth.

vSphere includes the full array of features necessary for a secure networking infrastructure. You can secure each element of the infrastructure, such as virtual switches, distributed virtual switches, virtual network adapters, and so on separately. In addition, consider the following guidelines, discussed in more detail in Securing vSphere Networking.

Isolate Network Traffic

Isolation of network traffic is essential to a secure ESXi environment. Different networks require different access and level of isolation. A management network isolates client traffic, command-line interface (CLI) or API traffic, and third-party software traffic from normal traffic. This network should be accessible only by system, network, and security administrators.

See ESXi Networking Security Recommendations.

Use Firewalls to Secure Virtual Network Elements

You can open and close firewall ports and secure each element in the virtual network separately. Firewall rules associate services with corresponding firewalls and can open and close the ESXi firewall according to the status of the service.

See ESXi Firewall Configuration.

Consider Network Security Policies

Networking security policy provides protection of traffic against MAC address impersonation and unwanted port scanning. The security policy of a standard or distributed switch is implemented in Layer 2 (Data Link Layer) of the network protocol stack. The three elements of the security policy are promiscuous mode, MAC address changes, and forged transmits.

See the vSphere Networking documentation for instructions.

Secure Virtual Machine Networking

The methods you use to secure a virtual machine network depend on which guest operating system is installed, whether the virtual machines operate in a trusted environment, and a variety of other factors. Virtual switches and distributed virtual switches provide a substantial degree of protection when used with other common security practices, such as installing firewalls.

See Securing vSphere Networking.

Consider VLANs to Protect Your Environment

ESXi supports IEEE 802.1q VLANs, which you can use to further protect the virtual machine network or storage configuration. VLANs let you segment a physical network so that two machines on the same physical network cannot send packets to or receive packets from each other unless they are on the same VLAN.

See Securing Virtual Machines with VLANs.

Secure Connections to Virtualized Storage

A virtual machine stores operating system files, program files, and other data on a virtual disk. Each virtual disk appears to the virtual machine as a SCSI drive that is connected to a SCSI controller. A virtual machine is isolated from storage details and cannot access the information about the LUN where its virtual disk resides.

The Virtual Machine File System (VMFS) is a distributed file system and volume manager that presents virtual volumes to the ESXi host. You are responsible for securing the connection to storage. For example, if you are using iSCSI storage, you can set up your environment to use CHAP and, if required by company policy, mutual CHAP by using the vSphere Web Client or CLIs.

See Storage Security Best Practices.

Evaluate the Use of IPSec

ESXi supports IPSec over IPv6. You cannot use IPSec over IPv4.

See Internet Protocol Security.

In addition, evaluate whether VMware NSX for vSphere is a good solution for securing the networking layer in your environment.