1. Network Security Standards

• Only required external ports may be forwarded.
• UPnP must be disabled on all infrastructure devices.
• ICMP echo responses must be disabled on external interfaces.
• Network segmentation must isolate workloads (web, application, database, management), with documented exceptions.
• East-West traffic must be restricted using firewall rules or ACLs.
• DNS zone transfers must be secured and restricted.

2. Hypervisor & Virtualization Security

• Hypervisors and management tools must be fully patched.
• BIOS, RAID controllers, and remote management firmware must be kept current.
• Management traffic must use a dedicated network.
• MFA must be enforced for hypervisor consoles.
• Unused virtual hardware and interfaces must be disabled.
• Storage networks must be isolated.
• Host firewalls must restrict SSH and console access.
• Snapshots must be short-lived.
• Resource overcommitment must be justified.
• Redundant storage must be used.
• Both host-level and VM-level backups must be implemented.
• Host and VM health metrics must be monitored.
• Guest tools must remain updated.
• Anti-affinity rules and HA features must be used where applicable.
• Infrastructure documentation must be maintained for disaster recovery.