Friday, 30 September 2011

vSwitch Networking Security Testing - Part 1 Promiscuous Mode

In ESXi 5.0 Networking Security, each vSwitch has the following Security Policy Tab.
  • Promiscuous Mode: Accept or Reject
  • MAC Address Changes: Accept or Reject
  • Forged Transmits: Accept or Reject
In part 1 of this test lab, I am exploring the Promiscuous Mode setting and the effect of setting it to Accept or Reject.

A Windows 7 VM is installed in the ESXi 5.0 Server and connected to the same VLAN as the Management Traffic. 

WireShark is installed in the VM to capture the traffic in the vSwitch.  Microsoft Network Capture is used to open the WireShark captured packet.   MS NCap is use because NCap can do a better job in sorting TCP Session as compare to WireShark.


Setting Promiscuous Mode to Reject (Default)

 


Setting Promiscuous Mode to Accept




Captured using WireShark When Promiscuous Mode Set to Reject 



Captured using WireShark When Promiscuous Mode Set to Accept  


Preview Captured Packet using Microsoft NCap When Promiscuous Mode Set to Reject




Preview Captured Packet using Microsoft NCap When Promiscuous Mode Set to Accept




Test Conclusion 

By setting the Promiscuous Mode to Accept in ESXi 5.0 vSwitch Networking Security Policy Tab, it allows any VM (the vNIC will have to be in Promiscuous Mode as well) of that vSwitch to be able to sniff network traffic of the entire vSwitch.  This can post a security risk if it is not carefully implemented.  But again, this is a nice feature that allow us to see and sniff traffic between VMs within the vSwitch for troubleshooting, a thing that we always do with physical switches when those hard to troubleshoot network problems occurred.

We can set the Promiscuous Mode at the Port Group Level other than at the vSwitch Level.  I strongly sugguest to set the vSwitch Promiscuous Mode to Reject and set just one Port Group Promiscuous Mode to Accept.  Place the Sniffer VM into this Port Group.


At vSwitch Level, set Promiscuous Mode to Reject.



At Port Group Level (where the Network Sniffer is Connected), set Promiscuous Mode to Accept.







Preview Captured Packet using Microsoft NCap When Promiscuous Mode Set to Accept

No comments:

Post a Comment