Dario Lo Presti - Fotolia
Network security features available in a virtual switch
Virtual switch security is achieved through a number of features. Virtualization admins can create and enforce policies, lock down MAC addresses and block forged traffic from VMs.
Virtual switches, such as those created by VMware platforms, provide a number of useful network security features.
Create and enforce policies
One of the network security features virtualization admins might not know about is that it's possible to employ policies with virtual switch ports. Where physical switch ports have no insight into the configuration of the physical network interface card ports attached to them, virtual switches can detect the configuration of virtual network ports connected to them. This makes it possible for administrators to create and enforce policies that help maintain a secure posture.
For example, a virtual switch can prevent a guest VM from changing its media access control (MAC) address -- a common sign of malicious activity.
Promiscuous mode for VMs is disabled by default. When enabled, promiscuous mode enables VMs to see all unicast network traffic traversing a virtual switch. Since this isn't desirable behavior from a security standpoint, promiscuous mode is disabled, so a VM only sees the data it is intended to see. The security policy for promiscuous mode is set at the virtual switch or the port group level.
Lock down MAC addresses
Another one of the valuable network security features associated with virtual switches is that MAC addresses are locked down. A MAC address represents the permanent physical identifier for every network device -- it's a bit like a physical home address.
VM networking explained
The difference between physical, virtual and virtual distributed switches; the difference between physical, virtual, uplink and group ports; how NIC teaming works in a VM network environment; and the best practices for configuring a VM network.
VMs are assigned MAC addresses as part of their network configuration, but MAC addresses can be changed fairly easily in VMs. Unfortunately, this is undesirable from a security perspective and can be a sign of malicious activity. Locking down the MAC address prevents this vulnerability.
Block forged traffic from VMs
Finally, virtual switches block forged traffic from VMs. Normally, a network device -- such as a virtual switch -- doesn't compare MAC addresses in IP packets with the MAC address of the sending device to make sure they match. This could enable malicious traffic to be sent using tactics such as MAC spoofing. When the virtual switch compares MAC addresses, it's able to block forged -- or spoofed -- traffic.
Dig Deeper on Containers and virtualization
Related Q&A from Stephen J. Bigelow
What is data separation and why is it important in the cloud?
Some enterprises avoid the public cloud due to its multi-tenant nature and data security concerns. Learn what data separation is and how it can keep ... Continue Reading
NAS vs. object storage: What's best for unstructured data storage?
There are advantages and disadvantages to using NAS or object storage for unstructured data. Find out what to consider when it comes to scalability, ... Continue Reading
Do hypervisors limit vertical scalability?
Knowing hardware maximums and VM limits ensures you don't overload the system. Learn hypervisor scalability limits for Hyper-V, vSphere, ESXi and ... Continue Reading