Securing vSphere networking is an essential part of protecting your environment. You secure different vSphere components in different ways. See the vSphere Networking documentation for detailed information about networking in the vSphere environment.
Network security in the vSphere environment shares many characteristics of securing a physical network environment, but also includes some characteristics that apply only to virtual machines.
Using Firewalls
Add firewall protection to your virtual network by installing and configuring host-based firewalls on some or all its virtual machines.
For efficiency, you can set up private virtual machine Ethernet networks or virtual networks. With virtual networks, you install a host-based firewall on a virtual machine at the head of the virtual network. This firewall serves as a protective buffer between the physical network adapter and the remaining virtual machines in the virtual network.
Host-based firewalls can slow performance. Balance your security needs against performance goals before you install host-based firewalls on virtual machines elsewhere in the virtual network.
Using Network Segmentation
Keep different virtual machine zones within a host on different network segments. If you isolate each virtual machine zone on its own network segment, you minimize the risk of data leakage from one zone to the next. Segmentation prevents various threats, including Address Resolution Protocol (ARP) spoofing. With ARP spoofing, an attacker manipulates the ARP table to remap MAC and IP addresses, and gains access to network traffic to and from a host. Attackers use ARP spoofing to generate man in the middle (MITM) attacks, perform denial of service (DoS) attacks, hijack the target system, and otherwise disrupt the virtual network.
Planning segmentation carefully lowers the chances of packet transmissions between virtual machine zones. Segmentation therefore prevents sniffing attacks that require sending network traffic to the victim. Also, an attacker cannot use a nonsecure service in one virtual machine zone to access other virtual machine zones in the host. You can implement segmentation by using one of two approaches.
- Use separate physical network adapters for virtual machine zones to ensure that the zones are isolated. Maintaining separate physical network adapters for virtual machine zones is probably the most secure method. After the initial segment creation. This approach is less prone to misconfiguration.
- Set up virtual local area networks (VLANs) to help safeguard your network. VLANs provide almost all the security benefits inherent in implementing physically separate networks without the hardware overhead. VLANs can save you the cost of deploying and maintaining additional devices, cabling, and so on. See Securing Virtual Machines with VLANs.
Preventing Unauthorized Access to Virtual Machines
- If a virtual machine network is connected to a physical network, it can be subject to breaches like a network that consists of physical machines.
- Even if you do not connect a virtual machine to the physical network, the virtual machine can be attacked by other virtual machines.
Virtual machines are isolated from each other. One virtual machine cannot read or write another virtual machine's memory, access its data, use its applications, and so forth. However, within the network, any virtual machine or group of virtual machines can still be the target of unauthorized access from other virtual machines. Protect your virtual machines from such unauthorized access.
For additional information about protecting virtual machines, see the NIST document titled "Secure Virtual Network Configuration for Virtual Machine (VM) Protection" at:
