V. Hardening Steps to Secure Virtualisation Environment - Virtual Network Layer
by JUCC ISTF
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */
The virtual networking layer consists of the virtual network devices through which virtual machines and the Service Console interface with the rest of the network. VM Server such as ESX Server relies on the virtual networking layer to support communications between virtual machines and the users. The virtual networking layer includes virtual network adapters and the virtual switches.
1. Network breach by user error or omission - All virtual networks should be labelled appropriately to prevent confusion or security compromises. This labelling prevents operator error due to a virtual machine being attached to a network it is not authorised for or to a network that could allow the leakage of sensitive information. In addition, sensitive networks should be physically segregated from each other by using clusters of physical hosts.
2. MAC Address spoofing (MAC address changes) - The "MAC address changes" option should be set to "Reject" in order to protect against MAC impersonation. ESX Server then will not allow requests to change the effective MAC address to anything other than the initial MAC address. The port that the virtual adapter used to send the request is disabled. As a result, the virtual adapter does not receive any more frames until it changes the effective MAC address to match the initial MAC address.
3. MAC Address spoofing (Forged transmissions) - The Forged Transmissions option setting affects traffic transmitted from a virtual machine. The "Forged transmissions" option should be set to "Reject", such that the ESX Server will compare the source MAC address being transmitted by the operating system with the effective MAC address for its adapter to see if they match. If the addresses do not match, ESX Server drops the packet. ESX Server intercepts any packets with impersonated addresses before they are delivered, and the guest operating system might assume that the packets have been dropped.