To best protect your environment, be aware of security risks that might exist when you use Auto Deploy with host profiles.
Secure your network as you would for any other PXE-based deployment method. vSphere Auto Deploy transfers data over SSL to prevent casual interference and snooping. However, the authenticity of the client or of the Auto Deploy server is not checked during a PXE boot.
You can greatly reduce the security risk of Auto Deploy by completely isolating the network where Auto Deploy is used.
Boot Image and Host Profile Security
The boot image that the vSphere Auto Deploy server downloads to a machine can have the following components.
The VIB packages that the image profile consists of are always included in the boot image.
The host profile and host customization are included in the boot image if Auto Deploy rules are set up to provision the host with a host profile or a host customization setting.
The administrator (root) password and user passwords that are included with host profile and host customization are MD5 encrypted.
Any other passwords associated with profiles are in the clear. If you set up Active Directory by using host profiles, the passwords are not protected.
Use the vSphere Authentication Service for setting up Active Directory to avoid exposing the Active Directory passwords. If you set up Active Directory using host profiles, the passwords are not protected.
The host's public and private SSL key and certificate are included in the boot image.