Obj 1.4f Configure network security policies

Configure network security policies

1.4f

1.4g

1.4h

Configure network security policies

The three elements of the Security policy are promiscuous mode, MAC address changes, and forged transmits.
In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC address. In promiscuous mode, it can listen to all the packets. By default, guest adapters are set to non-promiscuous mode.

Promiscuous mode eliminates any reception filtering that the virtual network adapter would perform so that the guest operating system receives all traffic observed on the wire. By default, the virtual network adapter cannot operate in promiscuous mode.

Although promiscuous mode can be useful for tracking network activity, it is an insecure mode of operation, because any adapter in promiscuous mode has access to the packets regardless of whether some of the packets are received only by a particular network adapter. This means that an administrator or root user within a virtual machine can potentially view traffic destined for other guest or host operating systems.

The setting for the MAC Address Changes option affects traffic that a virtual machine receives.
When the option is set to Accept, ESXi accepts requests to change the effective MAC address to other than the initial MAC address.
When the option is set to Reject, ESXi does not honor requests to change the effective MAC address to anything other than the initial MAC address, which protects the host against MAC impersonation.

The setting for the Forged Transmits option affects traffic that is transmitted from a virtual machine.
When the option is set to Accept, ESXi does not compare source and effective MAC addresses.
To protect against MAC impersonation, you can set this option to Reject. If you do, the host compares the source MAC address being transmitted by the operating system with the effective MAC address for its adapter to see if they match. If the addresses do not match, ESXi drops the packet.

Option

Description

Promiscuous Mode

♦	Reject — Placing a guest adapter in promiscuous mode has no effect on which frames are received by the adapter.
♦	Accept — Placing a guest adapter in promiscuous mode causes it to detect all frames passed on the vSphere standard switch that are allowed under the VLAN policy for the port group that the adapter is connected to.

MAC Address Changes

♦	Reject — If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to anything other than what is in the.vmx configuration file, all inbound rames are dropped. If the Guest OS changes the MAC address back to match the MAC address in the .vmx configuration file, inbound frames are passed again.
♦	Accept — Changing the MAC address from the Guest OS has the intended effect: frames to the new MAC address are received.

Forged Transmits

♦	Reject — Any outbound frame with a source MAC address that is different from the one currently set on the adapter are dropped.
♦	Accept — No filtering is performed and all outbound frames are passed.

You can override the switch-level settings for individual standard port groups by editing the settings for the port group.

Edit Security Policy for a vSphere Standard Switch

You can override the switch-level settings for individual standard port groups by editing the settings for the port group.

Procedure

1	Log in to the vSphere Client and select the server from the inventory panel.
2	Click the Configuration tab and click Networking.
3	Click Properties for the standard switch whose Layer 2 Security policy you want to edit.
4	In the Properties dialog box for the standard switch, click the Ports tab.
5	Select the standard switch item and click Edit.
6	Click the Security tab.
7	In the Policy Exceptions pane, select whether to reject or accept the Layer 2 Security policy exceptions.
8	Click OK.

Edit the Security Policy for a Distributed Port Group

Procedure

1	Log in to the vSphere Client and select the Networking inventory view.
2	Right-click the distributed port group in the inventory pane, and select Edit Settings.
3	Select Policies. By default, Promiscuous Mode is set to Reject. MAC Address Changes and Forced Transmits are set to Accept.
4	In the Security group, select whether to reject or accept the Security policy exceptions.
5	Click OK.

References:

http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.networking.doc_50%2FGUID-62914CF2-A6A8-4DCC-90A9-8CD4BBF50017.html