Hello,
I have been thinking about the 10Gbe/inifiniband issues for quite a while now and while I would use those mostly for the VM Network, and the Storage networks I am not sure I would use them for the others yet... But that is just me.. I would still keep things separate even if I was using 10Gbe....
Now let us talk about security and ESX. Currently, ESX has several issues in common with just about every system on the face of the earth. It has vulnerabilities... Yes they are not in the OS themselves but in the networking environment surrounding it.... So we need to look at the networks as the major part of security.... There are 4 distinct networks on most ESX servers, 5 if you include a DMZ.
1) Service Console or Administrative network... This network is the DOOR to your virtual data center. It will be a major attack point. Currently, certain aspects are susceptible to Man In the Middle Attacks (MiTM).... There is no real defense except vigilance as this is a fault within the network, and Humans, not ESX. Unless you do ALL your work from the Console, this can happen. Remember access to this implies Access to EVERYTHING but one... vMotion. Unless they share the same vSwitch/Physical NIC. This network should have a physical firewall as well as the basic ESX firewall. THis network should not be seen within the DMZ, or be accessible by non-administrative VMs.
2) vMotion network, is the one that access to the SC does not imply access to... vMotion sends all data over its network in a clear text protocol. Implying that a hacker can just capture the packets and thereby access credentials and other useful data for further penetration. This should be 100% private between ESX hosts. Either a private physical switch or a tightly controlled VLAN on a pSwitch.
3) Storage network, Access to this network implies access to all the IO over the wire.... Someone could grab all the bits and pieces of a virtual disk by capturing packets. Would you let someone walk in and take a disk out of your data center without permissions. Access to this network could imply that. Note that for iSCSI, an Service Console port must participate in this network. You can lock down this port even further if necessary. This includes NAS, ISCSI, SAN networks.
4) VM Network, this is the general purpose network with Windows and other VMs within it. Windows VMs are very easy to exploit and since 70% of all exploits happen from INSIDE companies, they should also be protected using normal means and perhaps some of the other means. vSwitchs have the same limitations as normal networks.... ARP Cache Poisoning, MiTM attacks, etc.
5) A special case of the VM Network is the DMZ. The DMZ network should be 100% separated from each other. Actually, I would use DMZ specific ESX hosts instead. Search the Security and Compliance Forum for details on this. The DMZ is the often attacked location from the outside but inside worries me as well.
Since it is extremely simple and maybe required to place a vSwitch in promiscuous mode or switch VMs from network to network, it is important to monitor everything to make sure nothing is bad. Providing more attacks points to the SC, vMotion, Storage is not a good idea and using physical separation as the pNIC level is best. Until IPv6/IPSEC is used 100% the network does have any intrinsic security so networks are where things often have issues. The best security for ESX is where everything is separate and redundant. So....
For 6 pNICs where I was not using a storage network I would use:
2 pNICs for SC (vSwitch0), 2 for vMotion (vSwitch1) , 2 for VM Network (vSwitch2)
With iSCS/NFS I would do:
1 pNIC for SC and 1 pNIC for vMotion (vSwitch0), 2 for VM Network (vSwitch1), 2 for Storage (vSwitch2)..... Where the SC/vMotion do share the same vSwitch, but use different portgroups and physical NICs unless there is a case of one pNIC failure.... There are plenty of discussions on this in the Security and Compliance forum....
Some people feel this is overkill, I do not... I rather be secure using physical separation than not.... Security depends on quite a few things but in general this separation at the pNIC gives the best security for now.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. Available on Rough Cuts at
http://safari.informit.com/9780132302074
