Re: Switch Security

JoJoGabor · ‎10-12-2011

What are the security advantages and disadvantages of virtual switches vs physical switches? I haven't heard much discussion of this and what I have heard is conflicting views. Some people think it is easier to VLAN hop within a virtual switch. Others tell me a virtual switch is more secure as its impossible to spoof MAC addresses as its all controlled in software.

Does anyone have any other insights?

vmroyale · ‎10-12-2011

Hello.

Note: This discussion was moved from the VMware ESXi 5 community to the Security and Compliance community.

Good Luck!

michael_40catbi · ‎10-12-2011

JoJoGabor wrote:
What are the security advantages and disadvantages of virtual switches vs physical switches? I haven't heard much discussion of this and what I have heard is conflicting views. Some people think it is easier to VLAN hop within a virtual switch. Others tell me a virtual switch is more secure as its impossible to spoof MAC addresses as its all controlled in software.
Does anyone have any other insights?

IMHO, the VMware software switch is by default as secure if not more secure than a physical switch.

MAC address anti-spoofing and other security considerations can be implemented in physical switches but I would say it is much harder to get right and almost impossible to sustain.

Essentially, the software bit is exactly right. The security of the virtual switch can be automatically assured, especially in combination with a virtualized security appliance.

VMware's native capabilities like fine grained administrator roles and host baselines, can be further supplemented by vShield and third-party security tools.

--Michael

Texiwill · ‎10-12-2011

Hello,

vSwitches are authoritative about what is connected to it, therefore they do not need to do any learning. All current layer-2 VLAN hopping attacks that I know about are based on attacking the content addressable memory (CAM) tables used by physical switches to learn about what is connected to it. Authoratative switches like vSwitches, are not subject to any existing layer-2 attacks.

However, they are subject to layer-3 through layer-7 attacks just like any other switches. The best way to protect against these is to limit which VMs can be in promiscuous mode (which is limited by default for any vSwitch to NO VMs can be in promiscous mode) at any time as most of these attacks are MiTM attacks and require a promiscuous mode VMs.

If someone says a vSwitch is subject to layer-2 VLAN attacks, please ask them to explain it so you can repost it here or they can post it here. Such an attack would be interesting to understand if it is at all possible.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

rickardnobel · ‎11-20-2011

Edward Haletky wrote:
All current layer-2 VLAN hopping attacks that I know about are based on attacking the content addressable memory (CAM) tables used by physical switches to learn about what is connected to it. Authoratative switches like vSwitches, are not subject to any existing layer-2 attacks.

Is that really a VLAN hopping attack? I have the impression that VLAN hopping is done by inserting double 802.1Q tags into a frame, where the first one is legitime and excepted, but the second one is for the VLAN you like to "hop" into.

From what I remember, the virtual switches in VMware is said to be protected from this kind of attack too.

My VMware blog: www.rickardnobel.se