You can secure standard switch traffic against Layer 2 attacks by restricting some of the MAC address modes of the VM network adapters.
Each VM network adapter has an initial MAC address and an effective MAC address.
Initial MAC Address
The initial MAC address is assigned when the adapter is created. Although the initial MAC address can be reconfigured from outside the guest operating system, it cannot be changed by the guest operating system.
Effective MAC Address
Each adapter has an effective MAC address that filters out incoming network traffic with a destination MAC address that is different from the effective MAC address. The guest operating system is responsible for setting the effective MAC address and typically matches the effective MAC address to the initial MAC address.
What Happens When You Create a Virtual Machine Network Adapter
Upon creating a virtual machine network adapter, the effective MAC address and initial MAC address are the same. The guest operating system can alter the effective MAC address to another value at any time. If an operating system changes the effective MAC address, its network adapter receives network traffic that is destined for the new MAC address.
When sending packets through a network adapter, the guest operating system typically places its own adapter effective MAC address in the source MAC address field of the Ethernet frames. It places the MAC address for the receiving network adapter in the destination MAC address field. The receiving adapter accepts packets only if the destination MAC address in the packet matches its own effective MAC address.
An operating system can send frames with an impersonated source MAC address. An operating system can therefore impersonate a network adapter that the receiving network authorizes, and stage malicious attacks on the devices in a network.
Using Security Policies to Protect Ports and Groups
Protect virtual traffic against impersonation and interception Layer 2 attacks by configuring a security policy on port groups or ports.
The security policy on distributed port groups and ports includes the following options:
- MAC address changes (see MAC Address Changes)
- Promiscuous mode (see Promiscuous Mode Operation)
- Forged transmits (see Forged Transmits)
You can view and change the default settings by selecting the virtual switch associated with the host from the vSphere Client. See vSphere Networking documentation.
MAC Address Changes
The security policy of a virtual switch includes a MAC address changes option. This option allows virtual machines to receive frames with a Mac Address that is different from the one configured in the VMX.
When the Mac address changes option is set to Accept, ESXi accepts requests to change the effective MAC address of a virtual machine to a different address than the initial MAC address.
When the Mac address changes option is set to Reject, ESXi does not honor requests to change the effective MAC address of a virtual machine to a different address than the initial MAC address. This setting protects the host against MAC impersonation. The port that the virtual machine adapter used to send the request is deactivated and the virtual machine adapter does not receive any more frames until the effective MAC address matches the initial MAC address. The guest operating system does not detect that the MAC address change request was not honored.
In some situations, you can have a legitimate need for more than one adapter to have the same MAC address on a network, for example, if you are using Microsoft Network Load Balancing in unicast mode. When Microsoft Network Load Balancing is used in the standard multicast mode, adapters do not share MAC addresses.
Forged Transmits
The Forged transmits option affects traffic that is transmitted from a virtual machine.
When the Forged transmits option is set to Accept, ESXi does not compare source and effective MAC addresses.
To protect against MAC impersonation, you can set the Forged transmits option to Reject. If you do, the host compares the source MAC address being transmitted by the guest operating system with the effective MAC address for its virtual machine adapter to see if they match. If the addresses do not match, the ESXi host drops the packet.
The guest operating system does not detect that its virtual machine adapter cannot send packets by using the impersonated MAC address. The ESXi host intercepts any packets with impersonated addresses before they are delivered, and the guest operating system might assume that the packets are dropped.
Promiscuous Mode Operation
Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire. By default, the virtual machine adapter cannot operate in promiscuous mode.
Although promiscuous mode can be useful for tracking network activity, it is an insecure mode of operation, because any adapter in promiscuous mode has access to the packets even if some of the packets are received only by a particular network adapter. This means that an administrator or root user within a virtual machine can potentially view traffic destined for other guest or host operating systems.
See the topic on configuring the security policy for a vSphere Standard Switch or Standard Port Group in the vSphere Networking documentation for information about configuring the virtual machine adapter for promiscuous mode.