When you use vSphere Auto Deploy, pay careful attention to networking security, boot image security, and potential password exposure through host profiles to protect your environment.
Secure your network just as you secure the network for any other PXE-based deployment method. vSphere Auto Deploy transfers data over SSL to prevent casual interference and snooping. However, the authenticity of the client or of the Auto Deploy server is not checked during a PXE boot.
You can greatly reduce the security risk of Auto Deploy by completely isolating the network where Auto Deploy is used.
Boot Image and Host Profile Security
The boot image that the vSphere Auto Deploy server downloads to a machine can have the following components.
The VIB packages that the image profile consists of are always included in the boot image.
The host profile and host customization are included in the boot image if Auto Deploy rules are set up to provision the host with a host profile or host customization.
The administrator (root) password and user passwords that are included with host profile and host customization are hashed with SHA-512.
Any other passwords associated with profiles are in the clear. If you set up Active Directory by using host profiles, the passwords are not protected.
Use the vSphere Authentication Proxy to avoid exposing the Active Directory passwords. If you set up Active Directory using host profiles, the passwords are not protected.
The host's public and private SSL key and certificate are included in the boot image.