VMware vSphere

 View Only
  • 1.  Security question: segments

    Posted Jun 26, 2022 01:36 AM

    Not sure this is the correct place to post these questions, so Mods feel free to move if necessary!

    I'm building out a new (7.0.U3) VCSA and vsan cluster on 6 hosts at one of our sites (yep, there are reasons), and it's been a few years since I built the vcsa and vsan clusters at our current sites, so I'm researching security best practices for today (as opposed to the 6.0 days!), and have a few questions.

    1. According to vmware, is 10.100.50.0/24 a different "segment" than 10.100.40.0/24?

    This isn't really mentioned in https://core.vmware.com/security-configuration-guide ; but when searching the web I keep reading that I should segment and (or?) air gap esxi management from regular vm traffic, for instance. So the quick question: in this context, is 10.100.50.0/24 a different "segment" than 10.100.40.0/24? Meaning, if the IPs of my hosts and vcsa are on the 10.100.50.0/24 network (vlan 50), and my vms are on the 10.100.60.0/24 (vlan 60) network, is that considered a good security measure? Or does "segmenting" and "air gapping" actually mean plugging the physical nics of the host (that are used for esxi management) into completely seperate physical switches than the physical nics that are used for vm traffic?

    2. Does data-at-rest and data-in-transit encryption on a vsan datastore protect from a ransomware attacks?

    Black basta is here, and it's destroying vsphere environments. For real. I get that the above encryption schemes are intended to protect assets in the event of exfiltration by bad actors; but I'm thinking that somebody who compromises the vsphere admin credentials can still encrypt the vmdk files with black basta, even though the above encryption is used, correct?

    I may have more questions later, but these seem like a good start.

    Looking forward to your answers; I really want to do security better with this new vsan cluster!



  • 2.  RE: Security question: segments

    Posted Jun 26, 2022 06:51 AM

    My opinion in first question will be if you are configuring the traffic in VLAN different than the management VLAN will be good but in case you can control the traffic between them, using ACL or Firewall.