?
Solved

Understand Network Security Policies of VMware (Mac Address Change and Forged Transmits)

Posted on 2014-12-29
10
Medium Priority
?
320 Views
Last Modified: 2015-03-03
Both the security Policies (Mac Address change and Forged Transmits) are concerned with allowing or denying differences between the initial MAC Address in the configuration file (.vmx file) and the effective MAC address in the guest operating system. I would like to understand why these security policies MAC address change and Forged transmits is set to Accept in VMware standard switches where as these policies are set to Reject on distributed switch?
Can anyone help me to understand why these settings are set different in Standard and  Distributed switch?
Thanks
0
Comment
Question by:jmohan0302
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 62

Assisted Solution

by:gheist
gheist earned 2000 total points
ID: 40522776
Because somebody disabled it, check logs if they reach that far back. MAC change is generally not necessary as you can change one in VMs settings. Forged transmits are if you run software network switch, but not othrewise.
It is best to reject all of them but allow per-port override "just in case"
Given that finding port number takes 10 minutes or so you can also enable global switch down the road.
0
 

Author Comment

by:jmohan0302
ID: 40523110
Thanks Gheist. Irrespective of the virtual switches either standard or distributed, the underlying concept of MAC address change and Forged transmits remains same. However, why the default settings of those settings are set to be different (Accept in case of Standard switches and Reject in case of Distributed switches) and I just like to understand this? Thanks
0
 
LVL 62

Expert Comment

by:gheist
ID: 40523342
Somebody was thinking about security and configured distributed switches properly. Their default is same as you see in local switches.
0
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

 

Author Comment

by:jmohan0302
ID: 40525117
Thanks. I couldn't understand what do you mean? Could you please explain? Thanks again
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 2000 total points
ID: 40525179
Default is to enable 2 settings. Your distributed switches were manually configured to be more secure.
0
 

Author Comment

by:jmohan0302
ID: 40525212
Fine. I would like to understand why these settings are set to accept in standard virtual switches and set to reject in distributed switches when it comes to default settings
0
 
LVL 62

Expert Comment

by:gheist
ID: 40525217
i crated distributed switch yesterday and it cam up with 2 settings enabled. so your distributed switch is non-default.
0
 

Author Comment

by:jmohan0302
ID: 40527190
ok... Let me check
0
 

Accepted Solution

by:
jmohan0302 earned 0 total points
ID: 40625920
Thanks Gheist.  Hope your version of vSphere is 5.0 or earlier.

I found that in order to prevent an untrusted virtual machine from changing its MAC address or sending Packets on behalf of other virtual machines  the default settings for the security policy have changed for distributed virtual switch port groups in distributed virtual switches created by using versions later than vSphere 5.0.


 So the default security policy for a distributed port group from vSphere5.1 and later is REJECT, REJECT and REJECT.

Below link provides better understanding of the same:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2030982

Thanks
0
 

Author Closing Comment

by:jmohan0302
ID: 40641569
Resolved
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will try to explain how to use the VMware feature TAGs in the VMs and create Veeam Backup Jobs using TAGs. Since this article is too long, I will create second article for the Veeam tasks.
This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
Teach the user how to install and configure the vCenter Orchestrator virtual appliance Open vSphere Web Client: Deploy vCenter Orchestrator virtual appliance OVA file: Verify vCenter Orchestrator virtual appliance boots successfully: Connect to the …
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question