If you are using distributed virtual switches, there are some specific network security configurations that can be managed only from the host advanced settings. For example, to enable the Bridge Protocol Data Unit (BPDU) filter, you must use a host advanced setting Net.BlockGuestBPDU as described in KB 2047822—Understanding the BPDU Filter feature in vSphere at https://kb.vmware.com/kb/2047822.

Of course, the security policies (promiscuous mode, MAC address change, and forge packets) for the virtual switches are still important, but for distributed virtual switches, they are just all rejected (starting with vSphere 5.1).

Virtual switches do not provide firewall functions (ESXi personal firewall works only on VMkernel ports); to implement micro-segmentation, you need solutions such as NSX.