here are many aspects to security in the enterprise. Security has been described as “layers of an onion” for good reason. It often takes multiple layers of security to be effective. You don’t want all of your security features and functionality to reside at a single layer as this would mean compromise of that layer would mean a total security breach.
Most organizations today are utilizing virtualization to run production workloads. Virtualization requires proper designing and engineering at multiple layers from a security standpoint. In the case of VMware virtualization using vSphere, there are multiple layers that need to be considered to ensure an effective security posture.
In this post, we will take a look at the Virtual Networking Layer and see what can be done to secure virtual environments at this layer.
Let’s take a look at securing VMware vSphere networking layer and see how this can be done effectively.
What is the Virtual Networking Layer?
The VMware vSphere Virtual Networking Layer contains the virtual network adapters, virtual switches or vSwitches, distributed virtual switches or DVS, ports, and port groups. vSphere ESXi uses this virtual networking layer to enable communication from the virtual layer to the physical network layer all the way up the OSI stack to the end user and their applications. Additionally, the virtual networking layer allows communication with storage devices such as iSCSI SANs, NAS storage, and so forth.
The ESXi hypervisor includes extremely secure virtual networking capabilities that allow very secure network communication when configured correctly. Also, it allows for granular controls of each element of the virtual networking layer of the components listed above.
Aside from the secure nature of the ESXi hypervisor and the virtual networking layer constructs that enable secure virtual network communication, there are other best practices that allow for securing the vSphere networking layer.
vSphere Virtual Networking Layer Security Best Practices
There are many best practices in regards to securing VMware vSphere Networking and the various components therein.
Let’s take a look at the following configurations and best practices that can help to secure the virtual network layer in a VMware vSphere environment.
- Isolating network traffic
- Use firewalls to secure virtual network elements
- Consider network security policies
- Secure VM networking
- Use VLANs to protect virtual networks
- Secure network communication with virtual storage
- Use IPSec when possible
We will look at each of the above security mechanisms a bit closer to see how they can help with securing VMware vSphere virtual networking for production workloads.
Isolate Network Traffic
On any network, there are generally different kinds of traffic that are traversing that network. Isolating network traffic based on the type of traffic is a great general guideline to creating good security boundaries on a network. Generally, this is accomplished by using VLANs and different subnets for various kinds of traffic.
In the virtual environment, this guideline holds true as well. In any VMware vSphere environment, there are many different kinds of traffic that are needed for proper communication with the compute, storage, and networks of the configuration. Typically, you have management, storage, vMotion, and VM network traffic in a general vSphere installation. Additionally, in the VM network traffic realm, there may be many different kinds of workloads that need to be isolated from one another using different network segments, virtual switches, VLANs, subnets, etc.
Use Firewalls to Secure Virtual Network Elements
One of the common means of securing networks is using firewalls for filtering traffic. Firewalls can be used across the VMware vSphere environment. Firewalls can be used to filter VM network traffic. Also, the ESXi host itself has built-in firewall capabilities that allow allowing or disallowing communication to certain ports, IP addresses, etc. VMware vCenter Server also has the capabilities to allow communication via firewall mechanisms. All of these capabilities allow securing network traffic across the virtual networking layers.
Consider Network Security Policies
The built-in VMware vSphere virtual switches including the Standard vSwitch and the Distributed vSwitch have the ability to protect traffic against such malicious activities as unwanted port scanning, MAC address impersonation, and others. The security policy as implemented at the virtual switch layer is a Layer 2 construct that has three components: promiscuous mode, MAC address changes, and forged transmits.
Secure VM Networking
When thinking about the virtual machine running in a VMware vSphere environment, there are many features that can be used to secure virtual networking traffic. These include many of the capabilities we have already mentioned at the virtual switch layer. Additionally, the guest operating system of a virtual machine can also be used to filter traffic using the built-in firewall and other security features such as Windows Firewall which can block or allow certain types of traffic. Used in conjunction with the default VMware vSphere security mechanisms, these can add to a powerful overall security stance for guest operating systems running on top of vSphere.
Use VLANs to Protect Virtual Networks
The VLAN construct in networking is defined by the 802.1q IEEE standard that serves to segment physical networks into different broadcast domains. The VLAN tag is added to the packet header and only allows communication between VMs that have the same VLAN tag. So, two different VMs can be isolated from one another by using different VLANs for each. This provides an effective way to segment and isolated various kinds of traffic. The VMware vSphere virtual networking stack is fully 802.1q aware so you can make use of VLANs all along the way. This can be done at the physical switch port, virtual switch port, or VLAN guest tagging.
Secure Virtual Storage Network Traffic
Virtual storage is where your actual data resides with virtual machines running inside of VMware vSphere. This is performed by the VMFS file system that resides on top of your LUNs. If virtual storage is compromised by an attacker, they have access to the heart of your infrastructure – your data. By using different techniques such as isolating storage traffic on separate physical and logical networks as well as using CHAP authentication in iSCSI environments, storage networks can be effectively secured.
Use IPSec when Possible
IPSec is Internet Protocol Security and is a network security mechanism that authenticates and encrypts packets of data sent over an IP network. IPSec may not be feasible or even possible in certain network segments, however, its use should be considered to provide the most secure communication possible when security is a must. Used in conjunction with all the other mechanisms and technologies listed, it can help ensure network communication is as secure as possible.
Securing the VMware vSphere Networking Layer is an essential part of VMware vSphere administration. Today’s networks and infrastructure hold security as a top priority in operational objectives. VMware vSphere has many default mechanisms built in that allow for effective security. The various security layers can be implemented throughout the VMware vSphere environment by using different technologies inside the virtual networking layer as implemented in vSphere. All the way from vCenter Server, ESXi, virtual switches, and down to the guest operating system running inside a VM, security can be effectively implemented. By using various constructs such as VLANs, CHAP, and IPSec, organizations can implement extremely secure environments that will satisfy most if not all compliance and auditory requirements.