Which networks should be isolated for security reasons?
Network security in the vSphere environment shares many characteristics with securing a physical network environment.
Isolation of network traffic is essential to a secure vSphere environment. Isolation prevents snooping.
Isolate networks for specific applications or functions:
• iSCSI
• NFS
• Virtual SAN
• Management
Network segmentation can be implemented by using separate physical network adapters or by setting up VLANs.
Maintaining separate physical network adapters for isolating traffic is probably the most secure method and is less prone to misconfiguration after the initial segment creation. However, VLANs provide almost all the security benefits inherent in implementing physically separate networks without the hardware overhead. As a result, VLANs offer a viable solution that can save you the cost of deploying and maintaining additional devices, cabling, and so forth.
Ensure that IP-based storage traffic is isolated. IP-based storage includes iSCSI and NFS. IP-based storage is not frequently encrypted, so anyone with access to this network can view it. VMs might share virtual switches and VLANs with the IP-based storage configurations. This type of configuration might expose IP-based storage traffic to unauthorized VM users.
Configure the IP-based storage adapters on separate VLANs or network segments from the production traffic and management network to limit unauthorized users from viewing the traffic.
How should virtual machine networking be secured?
VM network security is built into the infrastructure:
• A VM is isolated from other VMs if it does not share the same virtual switch.
• A VM is isolated from physical networks if no physical network adapter is configured for a virtual switch.
VM network security can be enhanced in several ways:
• Keeping different VM trust zones within a host on different network segments:
— Lowers the chances of packet transmissions between VM zones
— Prevents sniffing attacks that require sending network traffic to the victim
• Adding firewall protection to the virtual network The network can be one of the most vulnerable parts of any system. The virtual machine network requires as much protection as its physical counterpart. If the same safeguards, such as firewalls or antivirus, are used to protect a VM, the VM is as secure as a physical machine.
A trust zone is loosely defined as a network segment within which data flows relatively freely. Data flowing in and out of the trust zone is subject to stronger restrictions. If VM trust zones on their own network segments are isolated, the risks of data leakage from one VM zone to the next are minimized. Segmentation prevents various threats, including Address Resolution Protocol (ARP) spoofing.
With ARP spoofing, an attacker manipulates the ARP table to remap MAC and IP addresses. This remapping allows access to network traffic to and from a host. Attackers use ARP spoofing to generate man-in-the-middle (MITM) attacks and denial of service (DoS) attacks, hijack the target system, and disrupt the virtual network.
Source: "VMware vSphere: Design, Lecture Manual, ESXi 7 and vCenter Server 7"
