Isolate the NAS devices on their own subnet or put the management and storage behind a virtual firewall.
just do a back to back between the host and the NAS device. like the above advise creating a new isolated management network purely for NAS would do.
I planned to do that, but my question was about how to present the storage to the VM. I could either:
1) Connect the NAS to the ESX hosts via ISCSI, build a VMFS datastore on the NAS and then create a virtual disk to present the storage to the VM.
2) inside the virtual machine itself, use a software iSCSI initiator to connect directly to the NAS.
Either way the VM will have it's system partition (2008 r2) on faster, more robust storage.
Now I think I understand. This isn't about network security it is about Windows file access security For the best performance I would test each method. Each storage device will have it's strengths. Presenting the storage directly to the OS via iSCSI will mean you do not have the benefits of VMware snapshots and anything that depends on them.