VMware Cloud Community
TonyJK
Enthusiast
Enthusiast
Jump to solution

VM Port Group Security Policy ?

A VMWare Health Check is conducted by a consultant.  He writes:

VM's Port Group Security Policy are default value and not changed as per BP AND

Storage Multipathing Policy is as per BP.

We just wonder what does BP means and how to change Port Group Security Policy.  We would like to get some background knowledge before discussing with him.

Your advice is sought.

Tags (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
gary1012
Expert
Expert
Jump to solution

Best practices. They're probably referring to the promiscuous mode, MAC address changes, and forged transmit settings on the vSS or vDS. A lot of consultants pull findings from the VMware vSphere Security Hardening Guide. Google that and it should be the first hit. The guide will explain each of those settings.

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.

View solution in original post

Reply
0 Kudos
6 Replies
gary1012
Expert
Expert
Jump to solution

Best practices. They're probably referring to the promiscuous mode, MAC address changes, and forged transmit settings on the vSS or vDS. A lot of consultants pull findings from the VMware vSphere Security Hardening Guide. Google that and it should be the first hit. The guide will explain each of those settings.

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.
Reply
0 Kudos
Josh26
Virtuoso
Virtuoso
Jump to solution

TonyJK wrote:

A VMWare Health Check is conducted by a consultant.  He writes:

VM's Port Group Security Policy are default value and not changed as per BP AND

Storage Multipathing Policy is as per BP.

We just wonder what does BP means and how to change Port Group Security Policy.  We would like to get some background knowledge before discussing with him.

Your advice is sought.

The default port group setting is:

Reject promiscuous mode

Accept mac address changes

Accept forged transmits

You can of course, easily change these to "Reject" with little impact in most circumstances.

Likewise, realistic impact of leaving this setting at default is practically nil, unless you have some sort of device on your network performing security based on MAC addresses.

As far as the Storage multipathing policy, he appears to state it's "correct" and shouldn't be changed.

It sounds like a pretty pedantic piece of advise from someone who couldn't come up with much else to be honest.

TonyJK
Enthusiast
Enthusiast
Jump to solution

Dear Josh,

I have checked the settings.  For vSwitch, we have all checkboxes selected (Reject / Accept / Accept).

For Port Group, all checkboxes are not selected.  Does it mean that they already pick up the default value or should I select those checkboxes manually ?

Thanks again

Reply
0 Kudos
gary1012
Expert
Expert
Jump to solution

Those values are inherited at the vswitch level. I believe the BP is to set those to reject across the board. Josh is right, making those changes are usually harmless. I think some things like MS clustering will be impacted by the MAC setting but most VMs won't notice the changes. If they do, create a new port profile and set the appropriate setting at that level v. inheriting the vswitch settings.

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.
Josh26
Virtuoso
Virtuoso
Jump to solution

TonyJK wrote:

Dear Josh,

I have checked the settings.  For vSwitch, we have all checkboxes selected (Reject / Accept / Accept).

For Port Group, all checkboxes are not selected.  Does it mean that they already pick up the default value or should I select those checkboxes manually ?

Thanks again

Where a checkbox is not selected, it will inherit from the vswitch. There is no value at all in overriding these and setting them again on the port group, unless you want certain port groups to have different settings from others.

It's theoretically more locked down if you set all the options on the value "Rejected". Discussing what you "should" do is really invalid, there's nothing wrong with your environment.

Reply
0 Kudos
rickardnobel
Champion
Champion
Jump to solution

Gary Choka wrote:

I think some things like MS clustering will be impacted by the MAC setting

I think it is mostly the Microsoft Network Load Balancing feature that does some unusual stuff with MAC addresses and needs both setting to Accept.

I agree with other that you could safely leave those at default. In theory, a malicious VM administrator could take advantage of that and launch layer two network attacks, like ARP spoofing and similar, but that might or might not be a risk in your environment.

My VMware blog: www.rickardnobel.se
Reply
0 Kudos