From VMware ESXi Server 5.0 Security Technical Implementation Guide
Part of ESXI5-VMNET
Associated with: CCI-000366
The security issue with vMotion migrations is that information is transmitted in plain text, and anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially stage a MiTM attack in which the contents are modified during migration.
If vMotion is not used, this check is not applicable. The vMotion port group must be on a management-only vSwitch to avoid dependency on VLANs for isolation. Verify the vMotion port group vSwitch does not contain any non-management port groups. At least one physical network adaptor must be dedicated to management. To ensure a vMotion vSwitch is on a VMkernel management-only switch, from the vSphere Client/vCenter, select the ESXi host, and select the configuration tab. In the hardware panel, select Networking; locate the vSwitch containing the vMotion port group and visually verify that the vSwitch does not contain any VM Networking or VM references, i.e., the vSwitch must contain management-only, non-production network traffic/functions. If the vMotion port group is not on a management-only vSwitch, this is a finding.
To create a vMotion vSwitch from the vSphere Client/vCenter, select the ESXi host, and select the configuration tab. In the hardware panel, select Networking; click the Add Network link; choose VMKernel and click next; select the desired NIC(s). In the port groups dialog box type a name, (example: "vMotion"). Next, select the "use this port group for vMotion" and set the IP address and subnet mask and gateway where/as required.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer