Information Technology Reference
In-Depth Information
allow Promiscuous mode instead of rejecting it. This allows you, the administrator, to carefully
control which systems are allowed to use this powerful and potentially security-threatening
feature.
As shown in Figure 5.77, the virtual switch security policy will remain at the default setting
of Reject for the Promiscuous Mode option, while the VM port group for the IDS will be set to
Accept. This setting will override the virtual switch, allowing the IDS to monitor all trafi c for
that VLAN.
Allowing MAC Address Changes and Forged Transmits
When a VM is created with one or more virtual network adapters, a MAC address is generated
for each virtual adapter. Just as Intel, Broadcom, and others manufacture network adapters that
include unique MAC address strings, VMware is a network adapter manufacturer that has its
own MAC prei x to ensure uniqueness. Of course, VMware doesn't actually manufacture any-
thing because the product exists as a virtual NIC in a VM. You can see the 6-byte, randomly
generated MAC addresses for a VM in the coni guration i le (.vmx) of the VM as well as in
the Settings area for a VM within the vSphere Web Client, shown in Figure 5.78. A VMware-
assigned MAC address begins with the prei x 00:50:56 or 00:0C:29. In previous versions of ESXi,
the value of the fourth set (XX) would not exceed 3F to prevent conl icts with other VMware
products, but this appears to have changed in vSphere 5.0. The i fth and sixth sets (YY:ZZ) are
generated randomly based on the universally unique identii er (UUID) of the VM that is tied to
the location of the VM. For this reason, when a VM location is changed, a prompt appears prior
to successful boot. The prompt inquires about keeping the UUID or generating a new UUID,
which helps prevent MAC address conl icts.
Figure 5.77
Promiscuous mode,
though it reduces
security, is required
when using an
intrusion-detection
system.
Intrusion-detection
system for
production LAN
Production LAN
(
VLAN 100
)
IDS port group
(
Allow Promiscuous
Mode, VLAN 100
)
Test /dev LAN
vSwitch0
(Reject Promiscuous
Mode)
vmnic0
vmnic1
vmnic2
vmnic3
Manually Setting the MAC Address
Manually confi guring a MAC address in the confi guration fi le of a VM does not work unless the fi rst
three bytes are VMware-provided prefi xes and the last three bytes are unique. If a non-VMware
MAC prefi x is entered in the confi guration fi le, the VM will not power on.
