10.1 Hypervisor Secure Communication
Several of vSphere capabilities require components to communicate over management, or other dedicated networks. Because networks that provide management communication provide direct access to core functionality, VMware recommends that ESXi host management communication only occur over a dedicated and isolated network segment.
Communication between vCenter Server and each host is encrypted by default using standard X.509 version 3 certificates. However, other traffic types described in this section are not encrypted by default, making it necessary to evaluate any requirement on data traversing the network for these components to be made secure and unreadable.
Consider other traffic flows from a security perspective, including vSphere vMotion traffic (which is now no longer tied to a L2 data center LAN), vSphere FT, and storage traffic, such as iSCSI, NFS, replication, or vSAN.
These traffic types must be isolated and strongly secured from all other traffic flows going to and from virtual machines. The most typical way of achieving this is by isolating networks through the creation of separate VLANs for each traffic type. This way, virtual and physical switches can be shared as long as traffic remains logically isolated for tenant virtual machines.
Figure 35. Network Segmentation
The principle goals of the service provider in securing hypervisor communication include:
• Verifying that tenants or external attackers cannot gain privileged access to the hypervisor through services running on the management, backup, or other secure networks.
• Ensuring tenants or external threats cannot sniff vSphere vMotion, vSphere FT, vSAN, or other privileged traffic to obtain memory or file system contents of a virtual machine or other data that could assist in the staging of a man-in-the-middle attack.
• Making sure that all replicated storage or storage access traffic, which is typically not encrypted, cannot be viewed by anyone.
Despite the need to protect the VMware vCloud platform from attacks, appropriate operational teams still need access to the vCenter Server instances and ESXi hosts. However, rather than configuring direct access to these protected networks, consider limiting access only through a virtual private network (VPN) or through the configuration of “jump boxes” that reside on the management network.
As highlighted previously, a management cluster also provides resource isolation and can satisfy the requirement to have physical isolation between management and tenant workloads. This further protects access to the management virtual machines running monitoring, management, and cloud platform services.
