As with physical network adapters, a virtual network adapter can send frames that appear to be from a different machine or impersonate another machine. Also, like physical network adapters, a virtual network adapter can be configured so that it receives frames targeted for other machines.
When a standard switch is created, port groups are added to impose a policy configuration for the virtual machines and storage systems attached to the switch. Virtual ports are created through the vSphere Web Client or the vSphere Client.
As part of adding a port or standard port group to a standard switch, the vSphere Client configures a security profile for the port. The host can then prevent that any of its virtual machine impersonate other machines on the network. The guest operating system responsible for the impersonation does not detect that the impersonation was prevented.
The security profile determines how strongly the host enforces the protection against impersonation and interception attacks on virtual machines. To correctly use the settings in the security profile, you must understand the basics of how virtual network adapters control transmissions and how attacks are staged at this level.
Each virtual network adapter has a MAC address that is assigned to it when the adapter is created. This address is called the initial MAC address. Although the initial MAC address can be reconfigured from outside the guest operating system, it cannot be changed by the guest operating system. In addition, each adapter has an effective MAC address that filters out incoming network traffic with a destination MAC address different from the effective MAC address. The guest operating system is responsible for setting the effective MAC address, and typically matches the effective MAC address to the initial MAC address.
When sending packets, an operating system typically places its own network adapter's effective MAC address in the source MAC address field of the Ethernet frame. It also places the MAC address for the receiving network adapter in the destination MAC address field. The receiving adapter accepts packets only when the destination MAC address in the packet matches its own effective MAC address.
Upon creation, a network adapter's effective MAC address and initial MAC address are the same. The virtual machine's operating system can alter the effective MAC address to another value at any time. If an operating system changes the effective MAC address, its network adapter receives network traffic destined for the new MAC address. The operating system can send frames with an impersonated source MAC address at any time. This means an operating system can stage malicious attacks on the devices in a network by impersonating a network adapter that the receiving network authorizes.
Standard switch security profiles can be used on hosts to protect against this type of attack by setting three options. If any default settings for a port are changed, the security profile must be modified by editing standard switch settings in the vSphere Client.