Quick tips to improve virtual network security
To help ensure virtual network security and prevent VMs from impersonating other virtual servers, you can take the following precautions:
- Disable promiscuous mode for all virtual servers. This step prevents VMs from seeing traffic intended for other virtual servers.
- Use MAC address change lockdown to prevent virtual servers from altering their own MAC address. This action will also prevent VMs from viewing traffic for other virtual servers on the network.
- Disable forged transmits, which prevents VMs from sending traffic that appears to come from other virtual servers on the network.
Promiscuous mode allows a virtual network device -- such as a network adapter or virtual network interface card (vNIC) -- to intercept and access data in a virtual network packet, including packets intended for other vNICs. If promiscuous mode is disabled, a vNIC will normally drop a packet that’s addressed to a different MAC address. Not all hypervisors allow promiscuous mode (e.g., Microsoft Hyper-V), while other do, such as VMware vSphere.
For years, enabling promiscuous mode has been an important part of managing and monitoring physical networks and switches. Now promiscuous mode is playing a similar role in virtual networks, forming the basis of monitoring and implementation tools such as Catbird Networks Inc.’s vSecurity and CloudSwitch Enterprise.
Monitoring virtual network traffic with promiscuous mode enabled
Unlike many traditional network-security tools, virtualization-specific tools can monitor the traffic between the hypervisor and virtual machines (VMs) within a host. A virtual network consists of a collection of virtual servers running on a host, and the VMs are connected logically to each other, so they can send and receive data. A single virtual switch may service the entire virtual network, and the virtual switch uses its hypervisor-based configuration information to forward traffic to the correct virtual machines.
When promiscuous mode is enabled, security tools can use a packet sniffer to monitor the flow and content of the virtual network traffic. These tools capture the traffic to determine if any illicit activity is occurring, such as an unauthorized intrusion or erroneous packets being delivered to virtual machines. Administrators can also use the packet sniffer to analyze virtual network performance, pinpoint bottlenecks and maintain efficient network data transmission. Examining the network traffic can also ensure that virtual servers are not attacking each other, say if a compromised virtual server goes undetected.
Because an intruder can use promiscuous mode to maliciously sniff network traffic, you may also want to use promiscuous mode alongside a packet sniffer to detect which vNICs are operating in promiscuous mode.
Promiscuous mode in the wild
While it's easy to enable promiscuous mode in certain hypervisors, only knowledgeable IT pros should activate this feature. In ESXi, you can enable promiscuous mode on a virtual switch in a few, simple steps: Log into vCenter Server > select an ESXi host > select the virtual switch that you want to enable with promiscuous mode > accept the change.
Promiscuous mode is also used in hybrid-cloud environments. The CloudSwitch appliance requires promiscuous mode on ESX virtual switches to route traffic between the data center and workloads running in an offsite cloud. Because CloudSwitch is interested only in traffic for servers in the cloud, you can configure the appliance with its own port. In this setup, the CloudSwitch appliance will never receive traffic from other nodes on the virtual switch, because promiscuous mode is enabled only for that isolated port group.
Promiscuous mode is also present in public cloud deployments. Users can create virtual servers on Amazon EC2 with promiscuous mode enabled. But, unlike in virtual and physical environments, Amazon EC2 will only deliver packets to properly addressed vNICs. In other words, an EC2 virtual server can only send packets with its own source IP or MAC address, and it is not possible for an EC2 virtual server running in promiscuous mode to receive or sniff traffic that’s intended for a different EC2 virtual server.
A user may run promiscuous mode in an EC2 environment with a security monitor to determine if promiscuous mode has been properly disabled, which is especially important when a mission critical app is hosted on EC2 servers. If the security monitor is able to sniff packets addressed to other virtual servers, then Amazon EC2’s promiscuous mode is working incorrectly -- a cause for concern.
Ultimately, in the right hands, promiscuous mode has the potential to improve virtual network security and efficiency. But, if used incorrectly, this network feature can severely compromise a data center. As such, inexperienced IT pros may want to refrain from activating promiscuous mode to ensure that intruders cannot sniff sensitive data off the virtual network.
This was first published in May 2012