Virtual Networking Security Hardening Guide

• Network architecture

1. Ensure that vSphere management traffic is on a restricted network
2. Ensure vMotion traffic is isolated .(plain text traffic, not routable), dedicated VLAN
3. Ensure IP-based storage traffic is isolated, port group in dedicated VLAN
4. Strictly control access to management network. (gateway via VPN etc or jumpbox- vMA)

• vNetwork configuration

1. maximum number of port group on a switch: 512 . Setting number of port available for a port group, and removing unused port on vDS.
2. Ensure MAC address Change policy is set to reject.
3. Ensure that Forged Transmits policy is set to reject
4. Ensure that Promiscuous Mode policy is set to reject.
5. ESX dose not use the concept of native VLAN, so ensure that port groups are not configure to the value of the native VLAN. If the ESX vSwitch port group uses the native VLAN ID, traffic from those VM will not to be visible to the native VLAN on the switch, because the switch is expecting untagged traffic; meanwhile traffic from native VLAN is invisible to the vSwitch VLAN too by design asuntagged traffic .
6. Only Virtual Guest Tagging (VLAN Trunk mode) use VLAN ID: 4095 (Guest OS deals with untag and tag)
7. Port group not used reserved VLAN value for upstream physical switches. (1001-1024, 4094, 3968-4047/4094 for Nexus)
8. port group with a clear network label
9. vSwitches with clear network label.
10. Fully document all VLAN used on vSwitches: for correct trunking purpose etc.
11. Only authorized administrators have access to vNetwork components.

• Physical network

1. Ensure physical switch ports are configured with spanning tree disabled, since vSphere doesn't support it.
2. In VST mode, physical switch and virtual switch use non-negotiate option for trunk links. VST mode doesn't support Dynamic Truniking Protocol (DTP), so the trunk must be static and unconditional.
3. Ensure that VLAN trunk links are connected only to physical switch ports that function as trunk links.