On my flight home from Boston, I started reading some of my VCAP Landing Page materials and found some cool things I never knew existed. Everything listed can be found in the ESX Configuration Guide and ESXi Configuration Guide for vSphere 4.1. These are all features that revolve about the security of vSphere hosts. The features don't have to be enabled, but they are all iinnherent to the operating system, giving vSphere an enhanced security profile.
Memory Hardening - The ESX/ESXi kernel, user-mode applications, and executable components such as drivers and libraries are located at random, non-predictable memory addresses. Combined with the non-executable memory protections made available by microprocessors, this provides protection that makes it difficult for malicious code to use memory exploits to take advantage of vulnerabilities.
Kernel Module Integrity - Digital signing ensures the integrity and authenticity of modules, drivers and applications as they are loaded by the VMkernel. Module signing allows ESXi to identify the providers of modules, drivers, or applications and whether they are VMware-certified.
Trusted Platform Module (ESXi ONLY and BIOS enabled) - This module is a hardware element that represents the core of trust for a hardware platform and enables attestation of the boot process, as well as cryptographic key storage and protection. Each time ESXi boots, TPM measures the VMkernel with which ESXi booted in one of its Platform Configuration Registers (PCRs). TPM measurements are propagated to vCenter Server when the host is added to the vCenter Server system.
Luckily, the standard vSwitch is pretty dumb. It doesn't have a ton of features that present a lot of surface area to attack. That being said, it is able to prevent these type of attacks.
MAC flooding - Floods a switch with packets that contain MAC addresses tagged as having come from different sources. Many switches use a content-addressable memory (CAM) table to learn and store the source address for each packet. When the table is full, the switch can enter a fully open state in which every incoming packet is broadcast on all ports, letting the attacker see all of the switch’s traffic. This state might result in packet leakage across VLANs. Although VMware virtual switches store a MAC address table, they do not get the MAC addresses from observable traffic and are not vulnerable to this type of attack.
802.1q and ISL tagging attacks - Force a switch to redirect frames from one VLAN to another by tricking the switch into acting as a trunk and broadcasting the traffic to other VLANs. VMware virtual switches do not perform the dynamic trunking required for this type of attack and, therefore, are not vulnerable.
Double-encapsulation attacks - Occur when an attacker creates a double-encapsulated packet in which the VLAN identifier in the inner tag is different from the VLAN identifier in the outer tag. For backward compatibility, native VLANs strip the outer tag from transmitted packets unless configured to do otherwise. When a native VLAN switch strips the outer tag, only the inner tag is left, and that inner tag routes the packet to a different VLAN than the one identified in the now-missing outer tag. VMware virtual switches drop any double-encapsulated frames that a virtual machine attempts to send on a port configured for a specific VLAN. Therefore, they are not vulnerable to this type of attack.
Multicast brute-force attacks - Involve sending large numbers of multicast frames to a known VLAN almost simultaneously to overload the switch so that it mistakenly allows some of the frames to broadcast to other VLANs. VMware virtual switches do not allow frames to leave their correct broadcast domain (VLAN) and are not vulnerable to this type of attack.
Spanning-tree attacks - Target Spanning-Tree Protocol (STP), which is used to control bridging between parts of the LAN. The attacker sends Bridge Protocol Data Unit (BPDU) packets that attempt to change the network topology, establishing themselves as the root bridge. As the root bridge, the attacker can sniff the contents of transmitted frames. VMware virtual switches do not support STP and are not vulnerable to this type of attack.
Random frame attacks - Involve sending large numbers of packets in which the source and destination addresses stay the same, but in which fields are randomly changed in length, type, or content. The goal of this attack is to force packets to be mistakenly rerouted to a different VLAN. VMware virtual switches are not vulnerable to this type of attack.