vNetwork : reject-forged-transmit - 'vSwitch'

Information

Ensure that the Forged Transmits policy is set to reject.
If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network.

Forged transmissions is set to Accept by default.

This means the virtual switch does not compare the source and effective MAC addresses.

To protect against MAC address impersonation, all virtual switches should have forged transmissions set to Reject. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.

http://pubs.vmware.com/vsphere-60/topic/com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A62-6273798A2F80.html

http://pubs.vmware.com/vsphere-60/topic/com.vmware.vsphere.networking.doc/GUID-891147DD-3E2E-45A1-9B50-7717C3443DD7.html

Solution

From the vSphere Web Client select the host and click "Manage" -> "Networking" -> "Virtual Switches". For each virtual switch and for each port group within that virtual switch, click edit. Go to "Security" and set the "Forged Transmits" to "Reject".

See Also

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vSphere_6_0_Hardening_Guide_GA_15_Jun_2015.xls

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12)

Plugin: VMware

Control ID: 5c9e3dcbd18ec74284772025713ba341f5b35adc131430b4c24f98547b36fc8f