Network security

Network Security Features Available in a Virtual Switch

Dario Lo Presti – Fotolia

Virtual switches, such as those created by VMware platforms, provide a number of useful network security features.

Create and apply policies

One of the network security features that virtualization administrators may not be aware of is that policies can be used with virtual switch ports. When the physical switch ports have no overview of the configuration of the Network interface card ports connected to them, virtual switches can detect the configuration of virtual network ports connected to them. This allows administrators to create and apply policies that help maintain a secure posture.

For example, a virtual switch can prevent a guest virtual machine from changing its media access control (MAC) address, a common sign of malicious activity.

The security policy for promiscuous mode is set at the virtual switch or port group level.

Promiscuous mode for virtual machines is disabled by default. When enabled, promiscuous mode allows VMs to see all unicast network traffic traversing a virtual switch. Since this is not desirable behavior from a security perspective, promiscuous mode is disabled, so that a virtual machine only sees the data it is supposed to see. The security policy for promiscuous mode is set at the virtual switch or port group level.

Lock down MAC addresses

Another of the valuable network security features associated with virtual switches is that MAC addresses are locked down. A MAC address represents the permanent physical identifier of each network device – it’s a bit like a physical home address.

VMs are assigned MAC addresses as part of their network configuration, but MAC addresses can be changed within VMs quite easily. Unfortunately, this is undesirable from a security perspective and may be a sign of malicious activity. Locking the MAC address prevents this vulnerability.

Block spoofed traffic from VMs

Finally, virtual switches block spoofed traffic from VM. Normally, a network device, such as a virtual switch, does not compare the MAC addresses of IP packets with the MAC address of the sending device to make sure they match. This could allow malicious traffic to be sent using tactics such as MAC spoofing. When the virtual switch compares MAC addresses, it is able to block spoofed or spoofed traffic.

Deepening Network Virtualization

Source link