Applying vSphere network and vSwitch settings for a secure data center

Applying vSphere network and vSwitch settings for a secure data center

By Julia Anderson, assistant site editor

Someone, somewhere could be targeting your vSphere network as you read this guide. Have you taken the proper precautions to ensure your VMware infrastructure and VM data are safe from attack? Virtualizing servers, storage, applications and networks benefits your organization with increased flexibility and customization and decreased hardware costs, but the practice also opens up your environment and virtual machines (VMs) to a host of potential security threats. The vSphere network is especially vulnerable given the volume of data and flow of traffic it handles. Some of these virtual network security techniques can also protect a physical network, but adequate virtual network security requires virtualization-specific efforts.

VMware outfits vSphere and vCenter with a number of virtual network security features, such as Secure Socket Layer certificates and single sign-on, and offers other software and applications for even more protection. Following VMware's acquisition of Nicira, some industry experts have even said that the vendor is now a key Cisco competitor. VMware has also developed virtual switches (vSwitches) to regulate access to a VM's physical network cards, but it's your job to determine which type of vSwitch your network needs.

With each vSphere release, VMware updates network security features; keeping up with these changes is paramount to the health of your VMware environment. Learning the best practices for configuring vSwitches and vSphere network settings is the only way to tailor and customize your security approach and ward off an attack.

Table of contents:

VMware vSphere networking best practices

Proper network configuration in VMware vSphere begins with correctly installing ESXi hosts and choosing the right virtual network switches. Then, turn your attention to network interface cards, redundancy, storage and fault tolerance if you want continuous uptime. All the while you must be aware of your infrastructure's specific needs and limitations; errors could manifest themselves in the form of unauthorized access to VM data.

How to monitor network traffic in VMware environments

When you switch from physical to virtual networks, you lose the transparency of monitoring traffic on a given network interface. You can, however, monitor and analyze traffic from within a virtual machine, provided you configure the vSwitch and port group to enable promiscuous mode. This setting will allow traffic capture and can be easily activated from either vCenter Server or vSphere Client.

Virtual network switches in the VMware admin's world: Pros and cons

Though there are obvious similarities between vSwitches and physical switches, the two are significantly different. VSwitches interface VMs to VMware Workstation, ESXi and other virtualization hosts, but they don't provide the same features as many of their physical counterparts and lack some advanced management options. Understanding how the two compare will better enable you to administer an efficient network.

Using vSphere distributed switches for virtual networks

Choosing the right type of virtual switch is a critical first step to configuring your virtual network. With standard switches, it's not possible to share the switch with other hosts. VMware's vSphere distributed switch (vDS), on the other hand, is shared between hosts and is available as a virtual device between the machines involved. Creating a vDS is a two-step process, and a port group is required to connect anything to the switch, but once properly configured, you're left with a much more flexible vSwitch.

Configuring VMware vSwitch security settings: Don't trust defaults

Simply having virtual switches in your infrastructure is not enough to protect VMs from unwanted attacks. VMware vSwitches feature flexible security settings that allow you to customize protection. For the most secure network, you'll need to identify the biggest points of weakness and configure settings accordingly. Some default settings may actually pose threats.

What to expect in vSphere 5: Networking

Given the critical need to secure a virtual environment, it is essential that you keep up with changes to virtual networking and virtual network security. With each new vSphere release, VMware adapts and amends networking features to respond to new threats or user complaints. Be sure to brush up on vSwitches, private virtual local area networks, network monitoring techniques and other VMware networking updates.

Further reading on vSphere networks