Dario Lo Presti – Fotolia
Virtual switches, such as those created by VMware platforms, provide a number of useful network security features.
Create and apply policies
One of the network security features that virtualization administrators may not be aware of is that policies can be used with virtual switch ports. When physical switch ports have no insight into the configuration of physical NIC ports connected to them, virtual switches can detect the configuration of virtual network ports connected to them. This allows administrators to create and apply policies that help maintain a secure posture.
For example, a virtual switch can prevent a guest virtual machine from changing its media access control (MAC) address, a common sign of malicious activity.
Promiscuous mode for virtual machines is disabled by default. When enabled, promiscuous mode allows virtual machines to see all unicast network traffic traversing a virtual switch. Since this is not desirable behavior from a security perspective, promiscuous mode is disabled, so that a virtual machine only sees the data it is supposed to see. The security policy for promiscuous mode is set at the virtual switch or port group level.
Lock down MAC addresses
Another of the valuable network security features associated with virtual switches is that MAC addresses are locked down. A MAC address represents the permanent physical identifier of each network device – it’s a bit like a physical home address.
VMs are assigned MAC addresses as part of their network configuration, but MAC addresses can be changed within VMs quite easily. Unfortunately, this is undesirable from a security perspective and may be a sign of malicious activity. Locking the MAC address prevents this vulnerability.
Block spoofed traffic from VMs
Finally, virtual switches block spoofed traffic from VM. Normally, a network device, such as a virtual switch, does not compare the MAC addresses of IP packets with the MAC address of the sending device to make sure they match. This could allow malicious traffic to be sent using tactics such as MAC spoofing. When the virtual switch compares MAC addresses, it is able to block spoofed or spoofed traffic.
Dig deeper into containers and virtualization
Related Questions and Answers by Stephen J. Bigelow
Fog computing vs edge computing: what’s the difference?
Fog computing vs edge computing – while many IT professionals use the terms as synonyms, others make subtle but important distinctions between… Continue Reading
Different Types of Cloud Load Balancing and Algorithms
Learn how cloud load balancing differs from traditional network traffic distribution and explore the services available from AWS, Google, and… Continue Reading
When should you use AWS IAM roles instead of users?
Access management is essential for securing the cloud. Understand the differences between AWS IAM roles and users to properly restrict access to AWS… Continue Reading