Configuring VMware vSwitch security settings: Don’t trust defaults

It is important for administrators to understand and address the default VMware vSwitch security settings that could leave their networks vulnerable to attacks.

The virtual switch plays an essential role in securing a virtual infrastructure, and learning how to configure...

VMware vSwitch security settings minimizes the chance that an attacker will abuse your entire virtual infrastructure.

To secure the virtual network environment, you need to estimate where the danger is most real. Virtual machines that offer services to external users are probably the most vulnerable point and the most important to secure. Seen from the guest operating system, the virtual network interface card works just like a physical network card, which means that an attacker that gains access to it can do the same nasty things that he would do on real network cards, such as flooding the network in a denial-of-service attack.

The VMware vSwitch offers some security options that can prevent malicious activity or limit the amount of traffic allowed over an interface. Let’s look at how to configure these security settings.

  1. Start the vSphere client. From the host’s configuration tab, select the networking link in the hardware list, which shows the current configuration of the VMware vSwitch.
  2. Select Properties for the vSwitch you want to configure. Next, a window will display the current ports on the vSwitch, with the properties currently in use.
  3. Select the port you want to secure and click Edit. Then, click on the Security tab to activate it. This view shows the three, default security settings in use for the selected port.

VMware vSwitch

Figure 1: From the VMware vSwitch properties, you can see all the ports that are currently configured.

Configuring the VMware vSwitch security settings
The first vSwitch security decision you must make is whether to use promiscuous mode. Promiscuous Mode uses a network card to intercept and monitor packets sent to other nodes. This mode is off, by default, but admins can enable it, if they want to perform a security analysis of the network. Promiscuous Mode allows a host to see all network traffic passing through a virtual switch and can help you analyze what’s happening on a network. However, admins should use this mode only during the security analysis, because it will slow network performance.

The second security option allows you to specify whether you want to allow MAC address changes on virtual network cards. It’s activated by default, allowing the operating system to change the MAC address in specific situations. This default setting is useful when you need this feature, such as when connecting to an iSCSI storage area network or enabling the Microsoft Network Load Balancer. If these situations don't apply to your environment, you are better off disabling this feature, so that a hacker cannot change the MAC address and forge IP addresses from the virtual host.

Rejecting forged transmits is the third option that you can use to enhance VMware vSwitch security. Rejecting forged transmits means a virtual machine (VM) will compare the source MAC address of packets with the MAC address for its actual network card to see if they match. If they do not match, the ESXi host drops the packet, preventing a VM from sending network traffic.

This option is enabled by default, because it is occasionally needed to avoid software licensing problems. For example, if software on a physical machine is licensed to a specific MAC address, it will not work in a virtual machine because the VM’s MAC address is different. In this case, allowing forged transmits enables you to use the software by forging the VM’s MAC address.

However, allowing forged transmits poses a security risk.If an administrator has only authorized specific MAC addresses to enter the network, an intruder may be able to change his unauthorized MAC address to an authorized one.

VMware vSwitch

Figure 2: Adjusting security policy settings for the virtual switch.

Traffic shaping is another VMware vSwitch property that can increase security. By switching this feature on, you can limit the amount of bandwidth available to virtual network adapters attached to the vSwitch. These settings don't affect the capacity of the entire switch, but they set limitations for each network interface. It may be beneficial to use these limitations, because setting a maximum for average bandwidth, peak bandwidth and burst size can prevent one node from saturating the switch and claiming all available bandwidth, which is good protection against a DoS attack.

VMware vSwitch

Figure 3: By setting the maximum amount of bandwidth available per interface, you can protect against DoS attacks.

As you’ve seen, some of the default security settings for the VMware vSwitch in your ESXi environment are optimized for usability rather than security. By changing a few easily accessible options, you can increase the security level of your VMs and decrease the risk posed by outside attacks on your network.

Dig Deeper on VMware and networking