Virtual Machines Aren’t Perfect Sandboxes

A few months ago, I had a problem with one of my Virtual Machines (VMs), so I fired up Wireshark, and started capturing traffic. At first I thought I was seeing things. There was a bunch of traffic that was not originating on the VM; it was originating on the host OS. That seemed mighty odd. So I did some research.

Apparently, in a Windows VM, you can put the NIC into promiscuous mode, and you can see network traffic on the host.  Not only that, you can see network traffic originating on other VMs! Bill Claybrook, a contributor to SearchVMWare, explains the purpose of promiscuous mode:

Promiscuous mode allows a virtual network device — such as a network adapter or virtual network interface card (vNIC) — to intercept and access data in a virtual network packet, including packets intended for other vNICs. If promiscuous mode is disabled, a vNIC will normally drop a packet that’s addressed to a different MAC address. Not all hypervisors allow promiscuous mode (e.g., Microsoft Hyper-V), while other do, such as VMware vSphere.

Claybrook goes on to suggest that you disable promiscuous mode from all your virtual servers. But that’s easier said than done. In fact, for the VMware Workstation (VMware’s hosted virtualization solution), running on Windows, the network adapters have promiscuous mode set on, and you can’t change it.

I’m not the only one having this problem. One user in a support community writes:

“And yes it seems in Workstation for PC promiscuous mode is permanently switched on. And that there is no way to switch it off! I wonder how this effects security?”

The answer is that it compromises your system’s security. A Virtual Machine is not quite the isolated security sandboxthat I thought it was. Edward Haletky, another contributor for SearchVMWare, concludes that– because some systems require promiscuous mode, and because the mitigation steps aren’t foolproof– the best thing to do is implement a rigorous auditing process and strong firewalls:

“Nothing can replace auditing changes to your infrastructure on a regular basis. Several companies have products that do this: Tripwire and Configuresoft. Other companies have tools to prevent traffic to and from the VM in question by placing a virtual jail around the VM: Catbird and Reflex Security… No matter which tool you choose, the use of promiscuous mode enabled port groups implies the need to increase auditing and your own diligent observations.”




Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>