The virtual networking layer includes virtual network adapters, virtual switches, distributed virtual switches, and ports and port groups. ESXi relies on the virtual networking layer to support communications between VMs and their users. In addition, ESXi uses the virtual networking layer to communicate with iSCSI SANs, NAS storage, and so on.
vSphere includes the full array of features necessary for a secure networking infrastructure. You can secure each element of the infrastructure, such as virtual switches, distributed virtual switches, and virtual network adapters, separately. In addition, consider the following guidelines, discussed in more detail in Securing vSphere Networking.
- Isolate network traffic
- Isolation of network traffic is essential to a secure ESXi environment. Different networks require different access and level of isolation. A management network isolates client traffic, command-line interface (CLI) or API traffic, and third-party software traffic from normal traffic. Ensure that the management network is accessible only by system, network, and security administrators.
- Use firewalls to secure virtual network elements
- You can open and close firewall ports and secure each element in the virtual network separately. For ESXi hosts, firewall rules associate services with corresponding firewalls and can open and close the firewall according to the status of the service.
- Consider network security policies
- Network security policies provide protection of traffic against MAC address impersonation and unwanted port scanning. The security policy of a standard or distributed switch is implemented in Layer 2 (Data Link Layer) of the network protocol stack. The three elements of the security policy are promiscuous mode, MAC address changes, and forged transmits.
- Secure VM networking
-
The methods that you use to secure VM networking depend on several factors, including:
- The guest operating system that is installed
- Whether the VMs operate in a trusted environment
- Consider VLANs to protect your environment
- ESXi supports IEEE 802.1q VLANs. VLANs let you segment a physical network. You can use VLANs to further protect the VM network or storage configuration. When you use VLANS, two VMs on the same physical network cannot send packets to or receive packets from each other unless they are on the same VLAN.
- Secure connections to virtualized storage
- A VM stores operating system files, application files, and other data on a virtual disk. Each virtual disk appears to the VM as a SCSI drive that is connected to a SCSI controller. A VM is isolated from storage details and cannot access the information about the LUN where its virtual disk resides.
- Evaluate the use of IPSec
- ESXi supports IPSec over IPv6. You cannot use IPSec over IPv4.