vSphere · September 30, 2023 0

ESXi Hardening : vSwitches Network Policy

Last week i was working with a customer on some of the security hardening pointers. They were concerned about vSwitches Network Policy.

Shared the following recommendation with them. Hope this is useful.

In VMware vSphere, vSwitches have two network policy settings called “MAC address changes” and “Forged transmits” that control the behavior of virtual machine (VM) network traffic. Let’s understand the implications of changing these settings from “Accept” to “Reject”:

  1. MAC Address Changes:
    • When set to “Accept” (default), the vSwitch allows VMs to change their MAC addresses freely.
    • Changing this setting to “Reject” prevents VMs from modifying their MAC addresses.
    • Impact: In most cases, it is unnecessary to restrict MAC address changes unless there are specific security or compliance requirements. However, changing this setting to “Reject” can help prevent MAC address spoofing and unauthorized network traffic.
  2. Forged Transmits:
    • When set to “Accept” (default), the vSwitch allows VMs to send network traffic with source MAC addresses that do not match their configured MAC addresses.
    • Changing this setting to “Reject” prevents VMs from sending traffic with forged or mismatched MAC addresses.
    • Impact: By rejecting forged transmits, you enhance network security and prevent potential MAC address impersonation attacks. However, certain scenarios, such as virtual machine migrations, network load balancing, or advanced network configurations, may require “Accept” to be set.

It’s important to evaluate the implications of changing these settings on your specific environment and workloads. Here are some considerations:

  • Compatibility: Some applications or services may rely on the ability to change MAC addresses or use forged transmits. Changing these settings could impact their functionality or communication.
  • Network Load Balancing: If you are using network load balancing mechanisms that depend on MAC address changes or forged transmits, modifying these settings to “Reject” may disrupt the load balancing functionality.
  • Virtual Machine Migration: When VMs are migrated between hosts, MAC addresses might need to change temporarily to ensure network connectivity. Changing the MAC address change setting to “Reject” may interfere with such migrations.

Before changing these settings, it’s recommended to consult with your network and security teams to ensure that the modifications align with your security policies and won’t cause unintended consequences or disruptions to your network infrastructure.