Whether you use a management client or the command line, all configuration tasks for ESX are performed through the service console, including configuring storage, controlling aspects of virtual machine behavior, and setting up virtual switches or virtual networks. Because the service console is the point of control for ESX, safeguarding it from misuse is crucial.

VMware ESX management clients use authentication and encryption to prevent unauthorized access to the service console. Other services might not offer the same protection. If attackers gain access to the service console, they are free to reconfigure many attributes of the ESX host. For example, they can change the entire virtual switch configuration or change authorization methods.

Network connectivity for the service console is established through virtual switches. To provide better protection for this critical ESX component, isolate the service console by using one of the following methods:

Create a separate VLAN for management tool communication with the service console.

Configure network access for management tool connections with the service console through a single virtual switch and one or more uplink ports.

Both methods prevent anyone without access to the service console VLAN or virtual switch from seeing traffic to and from the service console. They also prevent attackers from sending any packets to the service console. As an alternative, you can choose to configure the service console on a separate physical network segment instead. Physical segmentation provides a degree of additional security because it is less prone to later misconfiguration

Set up a separate VLAN or virtual switch for vMotion and network attached storage.