Details
Ensure that the Forged Transmits policy is set to reject.
*Rationale*
If the virtual machine operating system changes the MAC address, the operating system can
send frames with an impersonated source MAC address at any time. This allows an
operating system to stage malicious attacks on the devices in a network by impersonating a
network adaptor authorized by the receiving network. Forged transmissions should be set
to accept by default. This means the dvPortgroup does not compare the source and
effective MAC addresses. To protect against MAC address impersonation, all virtual
switches should have forged transmissions set to reject.
Solution
1. Configure by using the vSphere Web Client to connect to the vCenter Server and as administrator-
2. Go to Home > Networking.
3. Select each VDS and edit each dvPortgroup connected to active VM’s requiring securing.
4. Edit Settings for each PortGroup under Security.
5. Set the Forged transmits value to ‘Reject’
Impact-This will prevent VMs from changing their effective MAC address. This will affect
applications that require this functionality. An example of an application like this is
Microsoft Clustering, which requires systems to effectively share a MAC address. This will
also affect how a layer 2 bridge will operate. This will also affect applications that require a
specific MAC address for licensing. An exception should be made for the dvPortgroups that
these applications are connected to.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system VMware.