Prevent VMs from sending unauthorised traffic and spoofing
This is probably overkill, but we should configure libvirt on the hypervisor to blacklist outgoing connections by default. This would prevent someone setting up malicious services (like rouge SMTP servers) on our IP address space.
Libvirt provides network filters which are basically fancy IP Tables rules, if we do it at the hypervisor level it will be much harder to bypass if the machine is compromised.