VMware Cloud Community
coldaddy
Contributor
Contributor
‎03-28-2008 01:47 PM
Jump to solution

SC and VMK on Separate Networks...why?

The ESX Config Guide for VI3, pg. 77, 1st paragraph, 2nd sentence states, "VMWare best practices recommend that the service console and VMotion have their own networks for security purposes." What precisely are the security ramifications of having SC and vmotion traffic on the same network?

Thanks,

Streve

0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎03-30-2008 02:15 PM
Jump to solution

Hello,

I moved this to the security and compliance forum.

vMotion is a clear text protocol. So any network that can see the vMotion network can see all data as it is transfered from host to host. Since this is a memory image it can contain system credentials, ID numbers, and perhaps credit card information. Therefore, this network should be as protected as possible. Some say VLANs are enough protection, I do not unless they are running IPV6 with IPSEC enabled. Otherwise IPV4 has inherent vulnerabilities. While vSwitch's for VI3.5 have some protections for VLANs, you can not assume it will ALWAYS have this protection as VLAN Jumping, manipulation, vulnerabilities is an ongoing research for the black hat types.

In effect if the SC is broken into, it would be possible to sniff the vMotion network and that may let Administrators have access to data covered by Privacy Policies, etc.

Granted this relies on your Security Policy, as well as levels of trust.

Remember the vmkernel ports are not just for vMotion but for iSCSI and NFS. These networks have separate security requirements than vMotion.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
3 Replies
fejf
Expert
Expert
‎03-28-2008 02:36 PM
Jump to solution

One reason i can think of: the SC network is your "management network" - the one where the VI-Client pcs are. That means that everybody who has access to the ESX servers via the VI-Client is in the same network that the storage actions take place. That means that such a user can try to:

1. sniff the traffic and so read data (passwords, files on vmdks etc) which isn't ment for him

2. perhaps access the storage directly while bypassing the restrictions on your ESX-Servers

Last but not least not only for security reason but also for availability and performance reasons you should keep them seperate.

-- There are 10 types of people. Those who understand binary and the rest. And those who understand gray-code.
IB_IT
Expert
Expert
‎03-28-2008 02:51 PM
Jump to solution

SC ip address is reserved for the actual "ESX" server...when you ping an ESX server by name, you get an IP address back that is the SC address. The vmkernel MUST have it's own IP address to perform functions like vmotion. It is preferred to be on an isolated subnet so no other traffic other than vmotion traffic is passing back and forth between the hosts.

0 Kudos
Texiwill
Leadership
Leadership
‎03-30-2008 02:15 PM
Jump to solution

Hello,

I moved this to the security and compliance forum.

vMotion is a clear text protocol. So any network that can see the vMotion network can see all data as it is transfered from host to host. Since this is a memory image it can contain system credentials, ID numbers, and perhaps credit card information. Therefore, this network should be as protected as possible. Some say VLANs are enough protection, I do not unless they are running IPV6 with IPSEC enabled. Otherwise IPV4 has inherent vulnerabilities. While vSwitch's for VI3.5 have some protections for VLANs, you can not assume it will ALWAYS have this protection as VLAN Jumping, manipulation, vulnerabilities is an ongoing research for the black hat types.

In effect if the SC is broken into, it would be possible to sniff the vMotion network and that may let Administrators have access to data covered by Privacy Policies, etc.

Granted this relies on your Security Policy, as well as levels of trust.

Remember the vmkernel ports are not just for vMotion but for iSCSI and NFS. These networks have separate security requirements than vMotion.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos