Adapting sound network isolation practices significantly bolsters network security in your vSphere environment.

Isolate the Management Network

The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Remote attacks are likely to begin with gaining access to this network. If an attacker gains access to the management network, it provides the staging ground for further intrusion.

Strictly control access to management network by protecting it at the security level of the most secure virtual machine running on an ESXi host or cluster. No matter how the management network is restricted, administrators must have access to this network to configure the ESXi hosts and vCenter Server system.

Place the vSphere management port group in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the vSphere management port group's VLAN is not used by production virtual machines. Check that the network segment is not routed, except possibly to networks where other management-related entities are found, for example, in conjunction with vSphere Replication. In particular, make sure that production virtual machine traffic cannot be routed to this network.

Enable access to management functionality in a strictly controlled manner by using one of the following approaches.

  • For especially sensitive environments, configure a controlled gateway or other controlled method to access the management network. For example, require that administrators connect to the management network through a VPN, and allow access only to trusted administrators.

  • Configure jump boxes that run management clients.

Isolate Storage Traffic

Ensure that IP-based storage traffic is isolated. IP-based storage includes iSCSI and NFS. Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. This type of configuration might expose IP-based storage traffic to unauthorized virtual machine users.

IP-based storage frequently is not encrypted; anyone with access to this network can view it. To restrict unauthorized users from viewing the IP-based storage traffic, logically separate the IP-based storage network traffic from the production traffic. Configure the IP-based storage adapters on separate VLANs or network segments from the VMkernel management network to limit unauthorized users from viewing the traffic.

Isolate VMotion Traffic

VMotion migration information is transmitted in plain text. Anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain the memory contents of a virtual machine. They might also stage a MiTM attack in which the contents are modified during migration.

Separate VMotion traffic from production traffic on an isolated network. Set up the network to be nonroutable, that is, make sure that no layer-3 router is spanning this and other networks, to prevent outside access to the network.

The VMotion port group should be in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the VMotion port group’s VLAN is not used by production virtual machines.