Evaluate Weigh the pros and cons of technologies, products and projects you are considering.
This article is part of our Essential Guide: The essential guide to VMware NSX SDN technology

Use SpoofGuard to defend against malicious activity in VMware NSX

SpoofGuard monitors network traffic to identify malicious activity and prevent phishing attacks. Before you enable SpoofGuard in NSX, there are a few things you should know.

Using SpoofGuard is an easy way to prevent phishing and web spoofing in VMware NSX shops, but there are a few things...

you, as a network administrator, should know to determine what's best for your environment.

SpoofGuard registers a VM's IP address and prevents that VM from communicating with any other IP addresses. If a VM administrator wants to change the IP address, he must coordinate it with the network administrator. Without this safeguard in place, a malicious user could easily hijack the IP address of an existing machine in the environment, impersonate that machine and bypass the firewall.

SpoofGuard isn't an extra module on your ESXi hosts, but rather a component of the distributed firewall. It's tightly integrated with the VMkernel, so, like other distributed firewall tasks in your network data path, it doesn't significantly impact performance. 

One of the reasons SpoofGuard doesn't receive much recognition is that it's often treated as an afterthought during NSX setup. Rather than focus on the SpoofGuard policy, which is disabled by default, administrators typically focus on routing and switching, firewall rules and NSX features, such as load balancers and virtual private networks, during initial setup.

Using SpoofGuard is as easy as locating the configuration under the Networking & Security main navigation panel and enabling the SpoofGuard policy. However, before proceeding, there are a few things you should know to determine what's best for your environment.

Create SpoofGuard policies

As you can see in Figure A, in addition to the Default Policy, I've created three new SpoofGuard policies: the DB-Tier policy, the App-Tier policy and the Web-Tier policy. Each of these policies is connected to a logical network. For each new policy you create, you have the option of changing the Operation Mode to either Trust on First Use or Manually Inspect.

For the sake of this example, I've configured the three logical network policies to Trust on First Use, which means they allow VMs to communicate with the IP address the first time they come online. I'm able to do this because I created my VMs with vRealize Automation, which automatically assigns IP addresses with IP address management (IPAM). You can use the nsx-spoofguard-approve.ps1 script from GitHub to query your IPAM system and check whether to approve NSX SpoofGuard records.

The Default Policy applies to any VM not connected to one of these three registered logical networks. The administrator must manually intervene in order for these VMs to communicate with the discovered address. The Default Policy includes a setting that allows SpoofGuard to register self-generated addresses in the 169.254.0.0/16 and fe80::/64, but this setting isn't enabled by default and, in most environments, isn't something you want to enable.

You can assign SpoofGuard policies to distributed port groups, standard switch port groups and logical switch networks.

Create and manage SpoofGuard policies.
Figure A. SpoofGuard policies can be applied to distributed port groups, standard switch port groups and logical switch networks.

Use snooping to detect IP addresses

This brings us to the next important point: How does SpoofGuard know which IP address a VM is using? Early versions of NSX only use VMware Tools to detect the IP address, but NSX versions 6.2 and above also use Dynamic Host Configuration Protocol (DHCP) snooping and Address Resolution Protocol (ARP) snooping. This allows you to use NSX SpoofGuard even if you don't have VMware Tools installed. In order to use DHCP snooping or ARP snooping, you must enable them by changing the Global IP Detection Type, as shown in Figure B.

Enable DHCP snooping or ARP snooping.
Figure B. DHCP snooping and ARP snooping allow SpoofGuard to detect VM IP addresses without using VMware Tools.

If you enable either DHCP snooping or ARP snooping, the VM will receive an IP address and start communicating with that address either automatically -- if Trust on First Use is enabled -- or after receiving administrative approval.

For the sake of comparison, I tested DHCP snooping on a VM in my environment that did not have VMware Tools installed and found the address 192.168.100.6; other VMs in my environment that did have VMware Tools installed and were in the same DHCP range found the same address. I also tried uninstalling VMware Tools on a previously registered machine and then tried to use another IP address, but SpoofGuard worked as expected and prevented me from doing so.

If you use VMs with multi-homing, note that SpoofGuard supports both IPv4 and IPv6 address. According to VMware official documentation, "When using IPv4, the SpoofGuard policy supports a single IP addressed to a vNIC. IPv6 supports multiple IP addresses assigned to a vNIC."

Save time with centralized logging

Once you've enabled SpoofGuard, you can use the vSphere Client to see which VMs need attention. This can be time-consuming in a large environment, so I recommend you use a central logging mechanism to save time. If you run NSX 6.2.3 or above in your environment, you're entitled to a free vRealize Log Insight license. Since SpoofGuard is a component of the distributed firewall, it logs dfwoktlogs.log to the ESXi host on which it detects activity. VRealize Log Insight allows you to centrally collect these logs and easily place alerts on entries involving SpoofGuard. You can see an example of how vRealize Log Insight performs centralized logging for SpoofGuard in Figure C.

Use vRealize Log Insight to monitor SpoofGuard.
Figure C. You can use a centralized logging tool such as vRealize Log Insight to set up alerts for activity in SpoofGuard.

My final recommendation is that you use REST API to access SpoofGuard information in your environment to monitor what's happening and what needs attention.

This was last published in December 2017

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you prefer to use VMware Tools, DHCP snooping or ARP snooping with SpoofGuard, and why?
Cancel
Hi,
Thanks for your question and interest in the topic. I prefer to rely on the VMware Tools because we always install them in any VM in the first place. For as fas as SpoofGuard is concerned it doesn't matter what the source is because the DFW will be able to block traffic when the address changes, no matter what the source is.
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchVirtualDesktop

SearchDataCenter

SearchCloudComputing

Close