Virtual Network Security Considerations

The virtual networking layer includes virtual network adapters and virtual switches. ESXi relies on the virtual networking layer to support communications between virtual machines and their users, as well as for IP storage, and other management traffic, such as vSphere vMotion.

In terms of communication, access to the network occurs in the same way as a physical host, only they use virtualized NICs and switches on the ESXi host. To provide external access, virtual switches are assigned a physical uplink on the ESXi host that has been connected to the appropriate networks.

The following characteristics apply to isolation in a virtualized network context:

If a virtual machine does not share a virtual switch with any other virtual machine, it is completely isolated except through externally accessible means.

If no physical network adapter is configured for a virtual switch, virtual machines on the host are completely isolated from any physical networks, but can still talk to one another.

If the same safeguards, such as firewalls or antivirus, are used to protect a virtual machine, the virtual machine is as secure as a physical machine.

In addition to the built-in network security above, the methods used to secure a virtual machine network depend on a variety of factors. Some of these factors include:

The guest operating system that is installed.

Whether the virtual machines operate in a trusted environment.

The characteristics of the physical network. For example, ESXi supports IEEE 802.1q VLANs, which can be used to further protect the virtual machine network or storage configuration. If the physical switch does not support VLANs, then they cannot be used.

The network can be one of the most vulnerable parts of any system. The virtual machine network requires as much protection as its physical counterpart. Virtual machine network security can be enhanced in several ways:

Adding firewall protection to the virtual network by installing and configuring host-based firewalls on some or all of its virtual machines. However, because host-based firewalls can slow performance, security needs must be balanced against performance before deciding to install host-based firewalls on virtual machines elsewhere in the virtual network.

Keeping different virtual machine zones within a host on different network segments. If virtual machine zones on their own network segments are isolated, the risks of data leakage from one virtual machine zone to the next are minimized. Segmentation prevents various threats, including Address Resolution Protocol (ARP) spoofing, in which an attacker manipulates the ARP table to remap MAC and IP addresses, thereby gaining access to network traffic to and from a host. Attackers use ARP spoofing to generate Man in the Middle attacks, DoS attacks, hijack the target system, and otherwise disrupt the virtual network.

Planning segmentation carefully lowers the chances of packet transmissions between virtual machine zones, thereby preventing sniffing attacks that require sending network traffic to a potential victim. Segmentation can be implemented by using either of two approaches, each of which has different benefits:

Use separate physical network adapters for virtual machine zones, so that the zones are isolated. Maintaining separate physical network adapters for virtual machine zones is probably the most secure method and is less prone to misconfiguration after the initial segment creation.

Set up VLANs to help safeguard the network. VLANs provide almost all of the security benefits inherent in implementing physically separate networks, without the hardware overhead.

Network Firewalls and vCenter Server

Firewalls provide basic protection for the network. It is typical to protect vCenter Server using a firewall such that there is a limited attack surface that can be exploited. This is most commonly accomplished by having vCenter on the same management network as the ESXi hosts and configuring a firewall between the vCenter server and the clients as an entry point for the system.

During normal operation, vCenter Server listens for data from its managed hosts and clients on designated ports. vCenter Server also assumes that its managed hosts listen for data from vCenter Server on designated ports. If a firewall is present between any of these elements, it needs to be confirmed that the firewall has open ports to support data transfer.

Firewalls might also be included at a variety of other access points in the network, depending on how the network will be used and the level of security various devices require. Select the locations for firewalls based on the security risks that have been identified for network configuration. The following is a list of firewall locations common to ESXi implementations:

Between the clients and vCenter Server.

Between the clients and the ESXi hosts, if using the vSphere client to connect directly.

If firewalls are added between ESXi hosts and if there is a plan to either migrate virtual machines between the servers, perform cloning, or use vSphere vMotion, ports must also be opened in any firewall that divides the source host from the target hosts so that the source and targets can communicate.

Between the ESXi hosts and network storage such as NFS or iSCSI storage. These ports are not specific to VMware and they can be configured according to the specifications of the network.

No matter the configuration that is chosen, the more firewalls that are added increase the complexity of administration of the networking elements. It is often best to secure the network with other means such as VLANs rather than an over complicated firewall configuration.

Securing Virtual Machines with VLANs

VLANs are an IEEE standard networking scheme with specific tagging methods that allow routing of packets to only those ports that are part of the VLAN. When properly configured, VLANs provide a dependable means to protect a set of virtual machines from accidental or malicious intrusions.

VLANs allow a physical network to be segmented so that two machines in the network are unable to transmit packets back and forth unless they are part of the same VLAN. For example, accounting records and transactions are among a company’s most sensitive internal information. In a company whose sales, shipping, and accounting employees all use virtual machines in the same physical network, one might protect the virtual machines for the accounting department by setting up VLANs.

Securing Virtual Switch Ports

Virtual switches act in the same way as physical switches in regard to the types of traffic that can be passed. As a result, both standard switches and the vSphere Distributed Switch have security policies that can be configured to restrict types of traffic and traffic flows.

The following policies are available and should be considered:

Promiscuous mode – The ability to install and use a guest adapter to see all traffic passed on the virtual switch.

MAC address changes – The ability to accept or reject MAC address changes that have been made within the Guest OS of a VM.

Forged transmits – The ability to reject traffic that has different MAC addresses between the source and the frame.

Ingress traffic shaping – Control or limit inbound traffic flow. Only available for vSphere Distributed Switch.

Egress traffic shaping – Control or limit outgoing traffic flow.

VLANs – Allow for traffic to be segmented into broadcast domains or for security.

QoS – Allow for priority to be set for types of traffic. Only available on vSphere Distributed Switch.

Each of these policies can help to further secure the network configuration.