1. Open the vSphere Client. Go to the "Configuration" tab of the host and select the network connection in the hardware list to display the current configuration of VMware vSwitch.
2. Select properties on the vSwitch to be configured. After that, a new pop-up window will display the existing ports of the vSwitch and the properties now applied.
Select the port for which you want to configure security settings, and then click Edit. After that, click the Security tab to activate it. The three available default security settings on the selected port will be displayed here.
Figure 1. From the VMware vSwitch properties, you can see all configured ports.
Configure VMware vSwitch security policy.
The first vSwitch security policy you need to decide is whether to use promiscuous mode. Promiscuous mode intercepts and monitors all traffic sent by the NIC to other nodes. By default, this mode is off, but if the administrator wants to do network security analysis, he can enable this mode. Promiscuous mode allows hosts to monitor all network traffic through virtual switches, which can also help you analyze all activities in the network. However, administrators can only use this mode when conducting security analysis, because it will affect network performance.
The second security policy is that users can specify whether the MAC address of the virtual network card is allowed to be changed. By default, this feature is enabled, allowing the operating system to change the MAC address in different situations. This default setting is useful when you need this feature, such as connecting to an iSCSI storage area network or enabling Microsoft network load balancing. But if you don't use these functions in your environment, you'd better turn off this special update so that attackers can't change the MAC address or forge the IP address of the virtual host.
The third way to strengthen the security of VMware vSwitch is to reject false traffic. Rejecting false traffic means that the virtual machine (VM) will compare the source MAC address of the packet with the real MAC address of its network card to see if they match. If they are not the same, the ESXi host will discard these packets and prevent the virtual machine from sending network traffic.
By default, this feature is turned on because it is sometimes needed to avoid software licensing problems. For example, if the software on the physical machine is only authorized to the specified MAC address, it will not work properly on the virtual machine because the MAC addresses of the virtual machines are different. In this case, allowing false traffic allows you to use the software by forging the MAC address of the virtual machine.
However, allowing false traffic will bring security risks. If the administrator only authorizes the specified MAC address to access the network, the intruder can change his unauthorized MAC address to an authorized MAC address.
Traffic throttling is another feature that VMware vSwitch can enhance security. When this feature is turned on, you can limit the available bandwidth of the virtual network card connected to the vSwitch. This setting will not affect the overall performance of the network, but only set a limit value for each network interface. Setting this limit can help, because limiting the average bandwidth, maximum bandwidth and burst value can prevent a node from occupying all the bandwidth of the switch and network, which is a good way to prevent DOS attacks.
Figure 2. By setting the maximum available bandwidth of each interface, DOS attacks can be prevented.
As you can see, some default security settings of VMware vSwitch are designed to improve usability, not security. Through some simple changes, the security level of virtual machines can be improved and the risk of external network attacks can be reduced.