Welcome for another blog post in our cyber security best practices series.
This blog post lists Virtual storage management best practices that we use in our deployments and hopefully it will be used as a guide for your own deployment:
- When booting from SAN, mask each bootable LUN to be seen only by the ESX host booting from that LUN.
- Build a dedicated and isolated storage network for iSCSI SAN storage to isolate and secure iSCSI storage-related trafﬁc.
- Build a dedicated and isolated storage network for NAS/NFS storage to isolate and secure NAS/NFS storage-related trafﬁc.
- Perform all masking at the storage device, not at the ESX/ESXi host.
- Separate disk-intensive virtual machines on different LUNs carved from separate physical disks.
- Provide individual zoning conﬁgurations for each ESX/ESXi host.
- Allow the SAN administrators to manage LUN sizes. VMFS extents might help immediate needs but might lead to loss of data in the event that an extent becomes corrupted or damaged.
- Spread the storage communication workload across the available hardware devices. For example, if the ESX/ESXi host has two Fibre Channel adapters, ensure that the VMkernel is not sending all trafﬁc through one adapter while the other remains dormant.
- Use separate storage locations for test virtual machines and production virtual machines.
- Build LUNs in sizes that are easy to manage yet can host multiple virtual machines. For example, create 300GB or 400GB LUNs to host ﬁve or six virtual machines. Be prepared to use Storage VMotion to move disk-intensive virtual machines.
- Use Storage VMotion to eliminate downtime when needing to migrate a virtual machine between datastores.
- Use Raw Device Mappings (RDMs) for Microsoft Clustering scenarios or to provide virtual machines with access to existing LUNs that contain data on NTFS-formatted storage.
- Implement a solid change management practice for the deployment of new LUNs. Identify a standard-sized LUN, and stray from the standard only when the situation calls for it.
Here is a good reference for “VMware vStorage Virtual Machine File System – Technical Overview and Best Practices” (here).
Watch out for the next topic in our series as we list other VMware best practices.
Oscar Bravo Jr.
CISSP, CISA, CCDP, CCNP, CCEE, CCSE, MCSE, MCITP, RSASE
Senior Consultant, Security Solutions Services