The ability to alter the effective MAC address cannot be removed from the guest operating system. However, the ability to let the system function with this altered MAC address is easily addressable through the security policy of a vSwitch. The remaining two settings of a virtual switch security policy are MAC Address Changes and Forged Transmits. Both of these security policies are concerned with allowing or denying differences between the initial MAC address in the configuration file and the effective MAC address in the guest operating system. As noted earlier, the default virtual switch security is to accept the differences and process traffic as needed.

The difference between the MAC Address Changes and Forged Transmits security settings involves the direction of the traffic. MAC Address Changes is concerned with the integrity of incoming traffic, while Forged Transmits oversees the integrity of outgoing traffic. If the MAC Address Changes option is set to Reject, traffic will not be passed through the vSwitch to the virtual machine (incoming) if the initial and the effective MAC addresses do not match. If the Forged Transmits option is set to Reject, traffic will not be passed from the virtual machine to the vSwitch (outgoing) if the initial and the effective MAC addresses do not match. Figure 3.40 highlights the security restrictions implemented when MAC Address Changes and Forged Transmits are set to Reject.

Figure 3.40 The MAC Address Changes and Forged Transmits security options deal with incoming and outgoing traffic respectively. 

For the highest level of security, VMware recommends setting MAC Address Changes, Forged Transmits, and Promiscuous Mode on each vSwitch to Reject. When warranted or necessary, use port groups to loosen the security for a subset of virtual machines to connect to the port group. 

Real World Scenario

As with anything, there are, of course, exceptions. For virtual machines that will be configured as part of a Microsoft network load balancing (NLB) cluster set in Unicast mode, the virtual machine port group must allow MAC Address Changes and Forged Transmits. Systems that are part of an NLB cluster will share a common IP address and virtual MAC address, as shown here:

The shared virtual MAC address is generated by using an algorithm that includes a static component based on the NLB cluster's configuration of Unicast or Multicast mode plus a hexadecimal representation of the four octets that make up the IP address. This shared MAC address will certainly differ from the MAC address defined in the VMX file of the virtual machine. If the virtual machine port group does not allow for differences between the MAC addresses in the VMX and guest operating system, NLB will not function as expected. VMware recommends running NLB clusters in Multicast mode due to these issues with NLB clusters in Unicast mode. 

Perform the following steps to edit the security profile of a vSwitch: 

1. Use the VI Client to establish a connection to a VirtualCenter server or an ESX Server host.

2. Click the hostname in the inventory panel on the left, select the Configuration tab from the details pane on the right, and then select Networking from the Hardware menu list.

3. Click the Properties link for the virtual switch.

4. Click the name of the virtual switch under the Configuration list and then click the Edit button.

5. Click the Security tab and make the necessary adjustments.

6. Click OK and then click Close. 

Follow these steps to edit the security profile of a port group:

1. Use the VI Client to establish a connection to a VirtualCenter server or an ESX Server host.

2. Click the hostname in the inventory panel on the left, select the Configuration tab from the details pane on the right, and then select Networking from the Hardware menu list.

3. Click the Properties link for the virtual switch.

4. Click the name of the port group under the Configuration list and then click the Edit button.

5. Click the Security tab and make the necessary adjustments.

6. Click OK and then click Close.

Managing the security of a virtual network architecture is much the same as managing the security for any other portion of your information systems. Security policy should dictate that settings be configured as secure as possible to err on the side of caution. Only with proper authorization, documentation, and change management processes should security be reduced. In addition, the reduction in security should be as controlled as possible to affect the least number of systems if not just the systems requiring the adjustments.

Identify the components of virtual networking. Virtual networking is made up of a combination of relationships that exist between the logical networking components created in the VMkernel of ESX Server and the physical network devices. The virtual machines are configured on vSwitches bound to physical network adapters that are connected to physical switches.

Create virtual switches and virtual switch port groups. Virtual switches, ports, and port groups are the cornerstone of the virtual networking architecture. These virtual components provide the tools for connecting to the physical network components to allow communication between the virtual and physical environments.

Master It Virtual machines need to communicate with physical servers on the production network.

Master It Service console communication must occur on a dedicated management network.

Master It A dedicated network has been implemented to support VMotion.

Master It A dedicated storage network has been implemented to support communication to iSCSI and NFS storage devices.

Create and manage NIC teams. NIC teams offer the opportunity for redundancy and load balancing of network traffic. NIC teams offer three load-balancing policies: port-based, source MAC-based, and IP hash-based load balancing. 

Master It Virtual machines with one virtual network adapter must be capable of using multiple physical network adapters when connecting to multiple network destinations.

Master It A vSwitch configured with a NIC team needs to experience failback when a physical network adapter is repaired after failover.

Master It Bandwidth available on multiple physical network adapters must be accessible to a single virtual network adapter on a virtual machine.

Master It Discovery time after a failover event on a NIC team needs to be minimized to prevent unnecessary delays.

Create and manage virtual LANs (VLANs). The use of vLANs in a virtual networking architecture offers security, scalability, and communication efficiency.

Master It A vSwitch needs to be configured with two vLANs named VLAN101 and VLAN102.

Master It A vSwitch is configured with vLANs identical to those configured on the physical switch to which it is connected; however, traffic between the two switches is not functioning.

Configure virtual switch security policies. Virtual switch security comes in a tight little package that includes three specific security settings that deal with identifying and processing traffic through a virtual switch. Promiscuous Mode, MAC Address Changes, and Forged Transmits each provides a securable vSwitch architecture, which ensures that only the right systems are sending and receiving traffic as expected.

Master It A virtual machine with an installed intrusion detection system (IDS) needs to "sniff" the traffic passing through a vSwitch but the vSwitch is not configured to allow virtual machines to identify all traffic on the switch. You need to allow the functionality of the IDS while minimizing the security impact on the network.