The virtual networking layer includes virtual network adapters, virtual switches, distributed virtual switches, and ports and port groups. ESXi relies on the virtual networking layer to support communications between VMs and their users. In addition, ESXi uses the virtual networking layer to communicate with iSCSI SANs, NAS storage, and so on.
vSphere includes the full array of features necessary for a secure networking infrastructure. You can secure each element of the infrastructure, such as virtual switches, distributed virtual switches, and virtual network adapters, separately. In addition, consider the following guidelines, discussed in more detail in Securing vSphere Networking.
- Isolate network traffic
- Isolation of network traffic is essential to a secure ESXi environment. Different networks require different access and level of isolation. A management network isolates client traffic, command-line interface (CLI) or API traffic, and third-party software traffic from normal traffic. Ensure that the management network is accessible only by system, network, and security administrators.
- See ESXi Networking Security Recommendations.
- Use firewalls to secure virtual network elements
- You can open and close firewall ports and secure each element in the virtual network separately. For ESXi hosts, firewall rules associate services with corresponding firewalls and can open and close the firewall according to the status of the service. See ESXi Firewall Configuration.
- You can also open ports on vCenter Server instances explicitly. See Required Ports for vCenter Server and Additional vCenter Server TCP and UDP Ports.
- Consider network security policies
- Network security policies provide protection of traffic against MAC address impersonation and unwanted port scanning. The security policy of a standard or distributed switch is implemented in Layer 2 (Data Link Layer) of the network protocol stack. The three elements of the security policy are promiscuous mode, MAC address changes, and forged transmits.
- See the vSphere Networking documentation for instructions.
- Secure VM networking
The methods that you use to secure VM networking depend on several factors, including:
- The guest operating system that is installed
- Whether the VMs operate in a trusted environment
- See Securing vSphere Networking.
- Consider VLANs to protect your environment
- ESXi supports IEEE 802.1q VLANs. VLANs let you segment a physical network. You can use VLANs to further protect the VM network or storage configuration. When you use VLANS, two VMs on the same physical network cannot send packets to or receive packets from each other unless they are on the same VLAN.
- See Securing Virtual Machines with VLANs.
- Secure connections to virtualized storage
- A VM stores operating system files, application files, and other data on a virtual disk. Each virtual disk appears to the VM as a SCSI drive that is connected to a SCSI controller. A VM is isolated from storage details and cannot access the information about the LUN where its virtual disk resides.
- The Virtual Machine File System (VMFS) is a distributed file system and volume manager that presents virtual volumes to the ESXi host. You are responsible for securing the connection to storage. For example, if you are using iSCSI storage, you can set up your environment to use CHAP. If required by company policy, you can set up mutual CHAP. Use the vSphere Client or CLIs to set up CHAP.
- See Storage Security Best Practices.
- Evaluate the use of IPSec
- ESXi supports IPSec over IPv6. You cannot use IPSec over IPv4.
- See Internet Protocol Security.
In addition, evaluate whether VMware NSX for vSphere is a good solution for securing the networking layer in your environment.