5.7 (L1) Host should reject MAC address changes on standard virtual switches and port groups

Information

Enforcing MAC address stability on standard virtual switches and port groups prevents MAC impersonation by disallowing changes to the MAC address by virtual machines. This mitigates the risk of malicious activities initiated by impersonating authorized network adapters.

Preventing MAC address changes hinders unauthorized network access and potential malicious acts, contributing to a more secure network environment. This control aids in maintaining network integrity by ensuring only authorized network communications occur.

Solution

To set the policy to reject, perform the following:

- From the vSphere Web Client, select the host.
- Click Configure then expand Networking
- Select Virtual switches then click Edit
- Click on Security
- Set MAC address changes to Reject in the dropdown.
- Click on OK

Alternately, perform the following using the ESXi shell:

# esxcli network vswitch standard policy security set -v vSwitch2 -m false

Impact:

Certain workloads and operations reliant on MAC address modifications could be affected. Creating a separate port group for authorized virtual machines that require MAC address changes is recommended to balance operational and security needs.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|12.4

Plugin: VMware

Control ID: d3c47d3f1fe0609b5b54c0a621760108c2705c09bb7847249667bf414f7ef744