The virtual networking layer includes virtual network adapters, virtual switches, distributed virtual switches, and ports and port groups. ESXi relies on the virtual networking layer to support communications between virtual machines and their users. In addition, ESXi uses the virtual networking layer to communicate with iSCSI SANs, NAS storage, and so on.
vSphere includes the full array of features necessary for a secure networking infrastructure. You can secure each element of the infrastructure, such as virtual switches, distributed virtual switches, and virtual network adapters, separately. In addition, consider the following guidelines, discussed in more detail in Securing vSphere Networking.
Isolate Network Traffic
Isolation of network traffic is essential to a secure ESXi environment. Different networks require different access and level of isolation. A management network isolates client traffic, command-line interface (CLI) or API traffic, and third-party software traffic from normal traffic. Ensure that the management network is accessible only by system, network, and security administrators.
Use Firewalls to Secure Virtual Network Elements
You can open and close firewall ports and secure each element in the virtual network separately. For ESXi hosts, firewall rules associate services with corresponding firewalls and can open and close the firewall according to the status of the service.
You can also open ports on vCenter Server instances explicitly.
For the list of all supported ports and protocols in VMware products, including vSphere and vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can search ports by VMware product, create a customized list of ports, and print or save port lists.
Consider Network Security Policies
Network security policies provide protection of traffic against MAC address impersonation and unwanted port scanning. The security policy of a standard or distributed switch is implemented in Layer 2 (Data Link Layer) of the network protocol stack. The three elements of the security policy are promiscuous mode, MAC address changes, and forged transmits.
See the vSphere Networking documentation for instructions.
Secure Virtual Machine Networking
- The guest operating system that is installed
- Whether the virtual machines operate in a trusted environment
Consider VLANs to Protect Your Environment
ESXi supports IEEE 802.1q VLANs. VLANs let you segment a physical network. You can use VLANs to further protect the virtual machine network or storage configuration. When you use VLANs, two virtual machines on the same physical network cannot send packets to or receive packets from each other unless they are on the same VLAN.
Secure Connections to Virtualized Storage
A virtual machine stores operating system files, application files, and other data on a virtual disk. Each virtual disk appears to the virtual machine as a SCSI drive that is connected to a SCSI controller. A virtual machine is isolated from storage details and cannot access the information about the LUN where its virtual disk resides.
The Virtual Machine File System (VMFS) is a distributed file system and volume manager that presents virtual volumes to the ESXi host. You are responsible for securing the connection to storage. For example, if you are using iSCSI storage, you can set up your environment to use Challenge Handshake Authentication Protocol (CHAP). If required by company policy, you can set up mutual CHAP. Use the vSphere Client or CLIs to set up CHAP.
Evaluate the Use of Internet Protocol Security
ESXi supports Internet Protocol Security (IPSec) over IPv6. You cannot use IPSec over IPv4.
