Spoof Guard

  1. One of the security features offered by NSX is spoof guard.
  2. The spoof guard feature protects against spoofing of IPs preventing malicious attack.
  3. Spoof guard allows to trust the IP reported by vCenter to the NSX manger with the help of VMware tools.
  4. In case of any spoofed IP or violation, Spoof Guard blocks the traffic on that particular vNIC. (Prevents the virtual machines vNIC from accessing the network)
  5. This functions independently of the Distributed Firewall of NSX.
  6. Spoof Guard supports both IPv4 and IPv6 addresses.
Use cases:
  • Preventing rogue VM from assuming the IP address of an existing VM & start sending malicious traffic.
  • Preventing any unauthorized IP address change for the VMs without proper approval.
  • Enhanced security feature which prevents any VMs from by passing the DFW firewall policies by changing the IP address of the VM.
Enabling spoof guard feature is very simple & easy with few clicks.
By default, Spoof Guard feature is disabled.
 
Creating Spoof Guard Policy:
1.By default, IP detection type is None. It should be changed.
2.2 options are supported.
a.DHCP Snooping
b.ARP Snooping
 
  1. As next step, you can edit the default policy or create a new policy. In this example we will create a new policy.
  2. Create the policy name as “Test” & select the option “Enabled”
  3. In this we will select to Manually inspect & approve all the IP address.

  1. As next step, select the network for which you need to apply this policy.
  2. The network could be Distributed port group, legacy port group or it can be logical switch.
 
  1. Once the network is selected, you will be able to view the IPs detected & they are waiting for the “Approve” action.
  2. Unless approved, the VMs will not be part of the network & no traffic passes.