This section provides high-level recommendations for the most effective methods of evaluating and securing the NSX for vSphere platform, data center, and cloud infrastructure built using NSX for vSphere, specifically v6.1. The recommendations are grouped in to the following categories:

Information for each of these categories is provided in the VMware NSX for vSphere Hardening Guide available at https://communities.vmware.com/docs/DOC-28142. This guide is intended for users in various roles, including network and security architects, security officers, virtual infrastructure administrators, cloud infrastructure architects, cloud administrators, cloud customers, cloud providers, and auditors. Additionally, individuals and organizations that are seeking a starting point for the network and security controls to consider when adopting or building a network and security infrastructure will find the recommendations helpful.

VMware engages with various partners to perform security assessments of the NSX for vSphere platform and specific design and architecture deployments. These assessments also focus on newer features such as the integration of software-defined networking (SDN) and software-defined data center (SDDC). The assessment of the NSX for vSphere platform is primarily focused on networking and security attacks, configuration issues, secure defaults, and protocols in use. Using a combination of targeted source code review, active and fuzz testing, as well as other methods, these assessments locate and determine whether any significant vulnerabilities exist. Left unchecked, many of these issues (separately, or in concert) could result in a complete data center compromise. So, keep in mind as you design data center and cloud architecture and system solutions that you must take the required steps and make the appropriate architectural design decisions to avoid or mitigate issues that might arise in your own environment.

Despite the inherent risks, software-defined networking paired with network and security virtualization offers a myriad of benefits and allows for entirely software-defined data centers, a key part of the VMware vision for current and future products. You must also address the potential and inherent risks of this new platform as you work with the VMware NSX platform technology.

One of the true values of software-defined networking and security is it allows agile movement of virtual machines and networks and security services between physical hosts and the data center as compared to physical networking. The dynamic nature of this technology requires that underlying hosts be fully connected at the physical and IP layer. With these new options for connectivity, however, also come some risks. All software has flaws, and the re-implementation of core networking protocols, parsers, and switching methods will repeat and likely inherit historic vulnerabilities from older methods of physical networking and security.

As an example, denial-of-service (DoS) attacks have become a much greater issue now. In the physical networking world, dedicated hardware handles much of the parsing and routing of packets. In a software networking and security world, it is the software component that must parse, reparse, perform table lookups, and generally be aware of encapsulation, fragmentation and so on, spending much more CPU time deciding how to handle each packet. A potential software bug in any stage of this packet handling can lead to resource exhaustion, software crashes, and other scenarios that result in DoS and possibly a loss of networking and security services for hundreds of hosts, and also might affect the entire data center.

Software-defined networking and security also extends traditional network and security attacks to multiple data centers. Traditionally local attacks, such as ARP spoofing, can now be conducted across Layer 3 networks in geographically diverse locations. Additionally, if any vulnerability in the software network and security stack allows these attacks to leak onto the physical network, physical hosts in multiple data centers affecting multiple customers can also be compromised.

In a very real sense, software-defined networking and security as it is currently designed relies on virtual machine containment. If a virtual machine escape is ever performed or if an attacker discovers a technique for sending un-encapsulated packets on physical networks, expected security will be lost. As described previously, every physical host must be completely connected at the IP and physical layer, exposing an extremely broad attack surface. Once an attacker has a method of sending and receiving data on this physical network, the attacker can move laterally between hosts unabated by firewalls or routers, as these are no longer security relevant devices. Software-defined networking and security is a powerful technology that is necessary for organizations and companies to take advantage of, now and in the future. However, like all software, software-defined networking and data centers can be fragile and networking and security vulnerabilities have broad ramifications not traditionally realized in physical networking platforms.

As you look at recurring weaknesses, these are good candidates for systematic fixes as well as areas that require additional testing. These can also be considered in secure guidelines and threat modeling. Consider the following: insufficient control, management and data plane security requirements– Much of the NSX for vSphere platform can be protected with TLSv1/SSL (if properly configured), but consistent usage and strong defaults are still elusive. When protecting the NSX Manager, as well as the management REST APIs, use TLS v1.2, because the control plane uses TLS in all other communications.