2.5 Define Logical Security Design

Network Segmentation
  Fully trusted Zones virtualize entire datacenter, including all network and security devices.For DMZ, it is called a DMZ in a box. This configuration enables you to maximize server consolidation and realize significant cost reduction. VLANs are not required as they are in the configuration using partially collapsed trust zone with virtual separation. Minimum 3 NICs per ESX host for Internet, Internal network, and Management network. NIC teaming for redundancy is also considerate.

Virtualized TrustZone Security Checklist

• Harden and isolate the service console and management network
• Enforce consistency of network configuration across all hosts
• Set Layer 2 security option for virtual switch: promiscuous mode, MAC address change, forged transmission
• Enforce separation of duties: Roles at vCenter.
• Use ESX resource management capabilities: reduce DoS attack
• Regularly audit virtualized configuration.

vShield Zone
vSphere Hardening Guide