Network security issues

Latest response

Hi,

I have a few questions about network security that I hope someone can help me with;

  • How can I prevent a VM from eavesdropping on all packets in the network ? i.e. operating in promiscuous mode ?
  • Is there any way to prevent VLAN hopping by VMs ?
  • How can I prevent a VM from sending with a false MAC address?

Thanks,

Responses

Hi Paul,

Looks like no one  has been able to help you out on these topics yet. I'll see if I can track down someone to help you out.

How can I prevent a VM from sending with a false MAC address?

I can answer this one. RHEV-3.1 does add a rule to prevent ip spoofing and mac spoofing when vms are started and removed when vms are stopped. This is done by default. You can tweak this default behavious by setting EnableMACAntiSpoofingFilterRules to False in rhevm-config. For 3.0, you need to have a custom hook for this purpose.

How can I prevent a VM from eavesdropping on all packets in the network ? i.e. operating in promiscuous mode?

I am just guessting. There is no effect if a user sets promiscuous flag  on guest ethx interfaces unless they can set promisc flag on associated vnetx as well which only the host administrator can do.

VLAN hopping may not be an issue as long as you don't mix tagged and untagged vlan on the same interface.