Secure Design
Best Practice: Isolate the management network
1. Isolate the Service Console in VMware ESX using one of two methods:
- Create a separate VLAN for management tool communication with the service console
- Configure network access for management tool connections with the service console through a single virtual switch and one or more uplink ports
Both methods prevent unauthorized users from seeing traffic to and from the Service Console. They also prevent attackers from sending any packets to the service console.
2. As an alternative, you can choose to configure the service console on a separate physical network segment. Physical segmentation provides a degree of additional security in that it is less prone to subsequent misconfiguration.
Best Practice: Use a dedicated, isolated network for VMware VMotion and iSCSI
1. Because VMotion information is not encrypted, it is critical that this network be isolated from any other use. If you want to encrypt VMotion traffic, you have the option of using hardware-based SSL encryption.
2. Encryption is not available for iSCSI disk I/O, so you must keep this network under strict control.
Best Practice: Plan for virtual machine mobility
1. Virtual machines are highly mobile, and it is important to facilitate the movement of virtual machines without sacrificing security. In general, there are three options available to you:
- Partition trust zones
- Combine trust zones using virtual network segmentation and best practices for virtual network management
- Combine trust zones using portable virtual machine protection with 3rd-party tools
Secure Deployment
Best Practice: Harden your virtual infrastructure
1. The VMware white paper, "Security Hardening in VMware Infrastructure 3" provides in-depth guidance to help you ensure strong security as you implement your virtual infrastructure.
Best Practice: Equip virtual machines with the same measure you use for physical servers
1. Be sure to install adequate defenses on each virtual machine in your infrastructure, including anti-virus software, host-based intrusion detection/prevention and the latest security patches.
2. Use virtual machine templates, cloning mechanisms and automated patch management to enforce conformity of virtual machine configurations to mandated standards.
Secure Operations
Best Practice: Strictly control administrative access
1. Favor controlled management interfaces (VI Client, Web Access) over unstructured interfaces (Service Console).
2. Prohibit access to the VI Console except when absolutely necessary. The VI Console possesses power management and removable device connectivity controls which could potentially allow a malicious user to bring down a virtual machine. The most secure approach is to use native remote management services such as terminal services and SSH to interact with virtual machines.
3. Use roles-based access control to limit administrative capabilities and enforce separation of duties, and never use anonymous accounts.
4. Allow powerful access only to small, privileged group; implement "break-glass" policy for top-level administrative accounts.
Secure Networking
Best Practice: Restrict access to privileged networks
1. Closely restrict administrative access on any host with privileged network.
2. For less privileged users, only allow template-based provisioning on those hosts.
Best Practice: Guard against misconfiguration
1. Clearly label sensitive virtual networks. This may seem like a tedious task, but labeling all your virtual networks appropriately helps prevent confusion and security compromises.
2. Generate audit reports that flag suspicious configurations.
3. Routinely inspect event and task logs.
Take the Next Step
Visit the VMware Security Center to stay up-to-date on all current security issues or visit the VMware Virtual Appliance Marketplace to find certified virtual security appliances.
