tech notes on vSwitches and layer 2 attacks
I recently completed a pen test from the sole position of possessing remote administrative privileges to a few guest VMs.
I fired up yersinia to learn if launching layer 2 attacks could disrupt normal operations. While doing that I grabbed a copy of this book:
VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment
vSwitches are reportedly immune to layer 2 attacks.
"Currently, a vSwitch will protect you from the following types of attacks by not providing the underlying functionality that these attacks require."
- MAC Flooding
- Double Encapsulation attacks (multiple 801.q envelopes)
- Multicast Brute Force Attacks
- Spanning Tree Attacks
- Random Frame Attacks
- DTP/VTP
I was able to perform MiTM via ARP cache poisoning on other visible guest VMs sharing the same network segment (because the attack targets the guest VM and not the vSwitch) – but in this case, each segment was allocated to a unique customer and therefore not a valuable test (i.e. poisoning one’s self was not in scope).
You can configure VMware to further limit attacks within a broadcast domain:
- Security | Promiscuous Mode (default is to reject) : Reject
- Security | MAC Address Changes (default is to accept): Reject
- Security | Forged Transmits (allow outbound frame w/a source MAC that is different) (default is to accept) : Reject
