7.1 Ensure the vSwitch Forged Transmits policy is set to reject

Information

Set the vSwitch Forged Transmits policy to reject for each vSwitch. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. You can override switch-level settings at the Portgroup level.

Rationale:

If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. Setting forged transmissions to accept means the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject.

Solution

To set the policy to reject forged transmissions, perform the following:

In the vSphere Web Client, navigate to the host.

Go to 'Hosts and Clusters' -> 'vCenter' -> host.

On the Configure tab, click Networking, and select Virtual switches.

Select a standard switch from the list and click the pencil icon to edit settings.

Select Security.

Set Forged transmits to 'Reject'.

Click 'OK'.

Alternately, the following ESXi shell command may be used:

# esxcli network vswitch standard policy security set -v vSwitch2 -f false

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|12.4

Plugin: VMware

Control ID: 9858ff57968f5bd7833b5f8797dc3600523a36f4092e776dc0fb03f54c7c713e