Configure the VMware vSwitch Security Policy

Vswitches play an important role in protecting the security of virtual infrastructure. Therefore, you can learn how to apply the VMware vSwitch Security Configuration to minimize the chance of your virtual infrastructure being compromised.

To protect the virtual network environment, you need to assess where is the most dangerous. Virtual machines that provide services to external users may be the most vulnerable, so they need to be protected. From the operating system perspective, the virtual network card and the physical network card are identical. This means that attackers who can access the virtual network card can perform the same attacks as those on the physical network card, for example, implementing a Denial of Service attack on the network.

VMware vSwitch provides some security measures to prevent malicious behavior or limit the maximum traffic allowed on the interface. The following describes how to implement these security configurations.

1. Open the vSphere Client. Go to the "configuration" tab of the host and select network connection from the hardware list. The current configuration of VMware vSwitch is displayed.

2. Select properties on the vSwitch you want to configure. Then, the pop-up window displays the existing port of the vSwitch and the attributes of the current application.

3. Select the port you want to configure Security Settings, and click Edit. Then, click the Security tab to activate it. The three available and default security settings of the selected port are displayed.

Figure 1. All configured ports are displayed in the VMware vSwitch attribute.

Configure the VMware vSwitch Security Policy

You need to determine whether the first vSwitch Security Policy uses the hybrid mode. The hybrid mode intercepts and monitors all traffic sent from the NIC to other nodes. This mode is disabled by default, but you can enable it if the administrator wants to perform network security analysis. The hybrid mode allows the host to monitor all network traffic passing through the vswitch, which helps you analyze all activities in the network. However, administrators can only use this mode for security analysis because it affects network performance.

The second security policy allows you to specify whether the MAC address of the virtual Nic is allowed to change. This feature is activated by default and allows the operating system to change the MAC address under different circumstances. When you need this feature, such as connecting to the iSCSI storage Region network or enabling the Microsoft network load balancing feature, this default setting can be very helpful. However, if you do not use these features in your environment, you 'd better disable this feature so that attackers cannot change the MAC address or forge the IP address of the VM.

The third way to enhance the security of VMware vSwitch is to reject false traffic. Rejecting false traffic means that the Virtual Machine (VM) will compare the source MAC address of the packet with the real MAC address of its Nic to see if they match. If the two are different, the ESXi host discards these packets to prevent the virtual machine from sending network traffic.

This feature is enabled by default, because this method is sometimes required to avoid software authorization issues. For example, if the software on the physical machine is only authorized to the specified MAC address, it cannot work normally on the virtual machine because the MAC address of the virtual machine is different. In this case, you can use the software by forging the MAC address of the virtual machine.

However, permitting fake traffic poses a security risk. If the Administrator only authorizes the specified MAC address to access the network, the attacker can change the unauthorized MAC address to an authorized one.

Figure 2. Adjusting the security policy of a Virtual Machine

Traffic Shaping is another VMware vSwitch attribute that enhances security. With this feature enabled, you can limit the available bandwidth for connecting to the vSwitch virtual network card. This setting does not affect the overall performance of the network, but only sets a limit value for each network interface. Setting this limit can be helpful because limiting the average bandwidth, the maximum bandwidth, and the burst value can prevent a node from occupying all the bandwidth of the switch and network, it is a good way to prevent DOS attacks.

Figure 3. Set the maximum available bandwidth for each interface to prevent DOS Attacks

As you can see, some default security settings for VMware vswitches are for availability, not security. Through some simple changes, we can improve the security level of virtual machines and reduce the risk of external network attacks.