Solved: Are Virtual Network Interfaces, vSwitches ?

gerf0727 · ‎03-18-2013

Hello all,

I am reading the following document http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

And on page 7 where it says "Set Layer 2 Security Options on Virtual Switches
Protect against attacks such as data snooping, sniffing, and MAC spoofing by disabling the promiscuous mode, MAC address changes, and forged transmissions capabilities on the virtual network interfaces."

How do I interpret the virtual network interfaces ? Are those the vSwitches or VM Port Group ?

Thanks for ur help,

mcowger · ‎03-18-2013

Those are not the defaults. MAC Address Changes: Rject and Forged Transmits: Reject would be the defaults.

But before you go changing them - they dont automatically indicate a security problem - you should find out why they were changed first.

--Matt VCDX #52 blog.cowger.us

View solution in original post

a_p_ · ‎03-18-2013

Welcome to the Community,

the VM's are connected to port groups. However, you can either configure these values on the vSwitch level and let the port group inherit them or you can configure them on individual port groups.

André

gerf0727 · ‎03-18-2013

Hmm, on my environment at the vSwitch level I have: Promiscous: Reject, MAC Address Changes: Accept and Forged Transmits: Accept.

Are those the default values ?

If I want to implement Layer 2 Security, dont need to be disable ?

Thanks for your help,

mcowger · ‎03-18-2013

Those are not the defaults. MAC Address Changes: Rject and Forged Transmits: Reject would be the defaults.

But before you go changing them - they dont automatically indicate a security problem - you should find out why they were changed first.

--Matt VCDX #52 blog.cowger.us

gerf0727 · ‎03-18-2013

Hmm, thank you very much.

a_p_ · ‎03-18-2013

Maybe Edit the Security Policy for a Distributed Port Group helps you to decide what's to meet your requirements.

André

All

Are Virtual Network Interfaces, vSwitches ?