ESX Configuration Guide
Figure 12-4. Sample VLAN Layout
Host 1
|
|
vSwitch |
|
|
|
VM0 |
VM1 |
VM2 |
VLAN A |
|
|
|
|
|
Router |
Host 2 |
|
|
Broadcast |
|
|
|
||
|
VM4 |
VM5 |
Domain A |
|
|
VM3 |
|||
|
|
vSwitch |
|
|
|
|
vSwitch |
|
|
Switch 1 |
VM6 |
VM7 |
VM8 |
|
|
VLAN B |
|||
|
Host 3 |
|
|
Broadcast |
|
vSwitch |
|
Domain B |
|
|
|
|
|
|
|
VM9 |
VM10 |
VM11 |
|
Switch 2 |
Host 4 |
|
|
Multiple VLANs |
|
|
|
||
|
|
vSwitch |
|
|
|
|
|
on the same |
|
|
|
|
|
|
|
VM12 |
VM13 |
VM14 |
virtual switch |
|
|
|||
|
VLAN |
VLAN |
VLAN |
Broadcast |
|
B |
A |
B |
|
|
Domains A and |
|||
|
|
|
|
In this configuration, all employees in the accounting department use virtual machines in VLAN A and the employees in sales use virtual machines in VLAN B.
The router forwards packets containing accounting data to the switches. These packets are tagged for distribution to VLAN A only. Therefore, the data is confined to Broadcast Domain A and cannot be routed to Broadcast Domain B unless the router is configured to do so.
This VLAN configuration prevents the sales force from intercepting packets destined for the accounting department. It also prevents the accounting department from receiving packets intended for the sales group. The virtual machines serviced by a single virtual switch can be in different VLANs.
Security Considerations for VLANs
The way you set up VLANs to secure parts of a network depends on factors such as the guest operating system and the way your network equipment is configured.
ESX features a complete IEEE 802.1q-compliant VLAN implementation. VMware cannot make specific recommendations on how to set up VLANs, but there are factors to consider when using a VLAN deployment as part of your security enforcement policy.
162 |
VMware, Inc. |
Chapter 12 Securing an ESX Configuration
VLANs as Part of a Broader Security Implementation
VLANs are an effective means of controlling where and how widely data is transmitted within the network. If an attacker gains access to the network, the attack is likely to be limited to the VLAN that served as the entry point, lessening the risk to the network as a whole.
VLANs provide protection only in that they control how data is routed and contained after it passes through the switches and enters the network. You can use VLANs to help secure Layer 2 of your network architecture —the data link layer. However, configuring VLANs does not protect the physical layer of your network model or any of the other layers. Even if you create VLANs, provide additional protection by securing your hardware (routers, hubs, and so forth) and encrypting data transmissions.
VLANs are not a substitute for firewalls in your virtual machine configurations. Most network configurations that include VLANs also include firewalls. If you include VLANs in your virtual network, be sure that the firewalls that you install are VLAN-aware.
Properly Configure VLANs
Equipment misconfiguration and network hardware, firmware, or software defects can make a VLAN susceptible to VLAN-hopping attacks.
VLAN hopping occurs when an attacker with authorized access to one VLAN creates packets that trick physical switches into transmitting the packets to another VLAN that the attacker is not authorized to access. Vulnerability to this type of attack usually results from a switch being misconfigured for native VLAN operation, in which the switch can receive and transmit untagged packets.
To help prevent VLAN hopping, keep your equipment up to date by installing hardware and firmware updates as they become available. Also, follow your vendor’s best practice guidelines when you configure your equipment.
VMware virtual switches do not support the concept of a native VLAN. All data passed on these switches is appropriately tagged. However, because other switches in the network might be configured for native VLAN operation, VLANs configured with virtual switches can still be vulnerable to VLAN hopping.
If you plan to use VLANs to enforce network security, disable the native VLAN feature for all switches unless you have a compelling reason to operate some of your VLANs in native mode. If you must use native VLAN, see your switch vendor’s configuration guidelines for this feature.
Create Separate Communications Between Management Tools and the Service Console
Whether you use a management client or the command line, all configuration tasks for ESX are performed through the service console, including configuring storage, controlling aspects of virtual machine behavior, and setting up virtual switches or virtual networks. Because the service console is the point of control for ESX, safeguarding it from misuse is crucial.
VMware ESX management clients use authentication and encryption to prevent unauthorized access to the service console. Other services might not offer the same protection. If attackers gain access to the service console, they are free to reconfigure many attributes of the ESX host. For example, they can change the entire virtual switch configuration or change authorization methods.
Network connectivity for the service console is established through virtual switches. To provide better protection for this critical ESX component, isolate the service console by using one of the following methods:
nCreate a separate VLAN for management tool communication with the service console.
nConfigure network access for management tool connections with the service console through a single virtual switch and one or more uplink ports.
VMware, Inc. |
163 |