Understand Network Security Policies of VMware (Mac Address Change and Forged Transmits)

Both the security Policies (Mac Address change and Forged Transmits) are concerned with allowing or denying differences between the initial MAC Address in the configuration file (.vmx file) and the effective MAC address in the guest operating system. I would like to understand why these security policies MAC address change and Forged transmits is set to Accept in VMware standard switches where as these policies are set to Reject on distributed switch?
Can anyone help me to understand why these settings are set different in Standard and  Distributed switch?
Thanks
jmohan0302Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
Because somebody disabled it, check logs if they reach that far back. MAC change is generally not necessary as you can change one in VMs settings. Forged transmits are if you run software network switch, but not othrewise.
It is best to reject all of them but allow per-port override "just in case"
Given that finding port number takes 10 minutes or so you can also enable global switch down the road.
0
jmohan0302Author Commented:
Thanks Gheist. Irrespective of the virtual switches either standard or distributed, the underlying concept of MAC address change and Forged transmits remains same. However, why the default settings of those settings are set to be different (Accept in case of Standard switches and Reject in case of Distributed switches) and I just like to understand this? Thanks
0
gheistCommented:
Somebody was thinking about security and configured distributed switches properly. Their default is same as you see in local switches.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

jmohan0302Author Commented:
Thanks. I couldn't understand what do you mean? Could you please explain? Thanks again
0
gheistCommented:
Default is to enable 2 settings. Your distributed switches were manually configured to be more secure.
0
jmohan0302Author Commented:
Fine. I would like to understand why these settings are set to accept in standard virtual switches and set to reject in distributed switches when it comes to default settings
0
gheistCommented:
i crated distributed switch yesterday and it cam up with 2 settings enabled. so your distributed switch is non-default.
0
jmohan0302Author Commented:
ok... Let me check
0
jmohan0302Author Commented:
Thanks Gheist.  Hope your version of vSphere is 5.0 or earlier.

I found that in order to prevent an untrusted virtual machine from changing its MAC address or sending Packets on behalf of other virtual machines  the default settings for the security policy have changed for distributed virtual switch port groups in distributed virtual switches created by using versions later than vSphere 5.0.


 So the default security policy for a distributed port group from vSphere5.1 and later is REJECT, REJECT and REJECT.

Below link provides better understanding of the same:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2030982

Thanks
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jmohan0302Author Commented:
Resolved
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.