Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
A customer suspects someone or something is changing the MAC address of a virtual machine. Which security policy should the customer modify to obtain more information?
I think its B as question is to obtain more info of what is happening which one can interpret as sniffing the network and that is one of the uses of setting promiscuous mode.
it it was to stop mac address changes then A would be appropriate since an admin can choose to either enable or disabled.
Good point, also crossed my mind. But it does not state anything about using a sniffer. Stopping it's traffic could also bring information, i.e. when a user calls the helpdesk that something stopped working :-)
I am truly not sure what is correct here, im leaning towards B.
It's a horribly written question. It all depends on how an admin would "obtain information" Options A and D block (or allow) frames with the modified addresses. It's possible that one may change these settings as a means of obtaining info. Option B could be correct, but only if we have a sniffer running on a VM, which is not a normal assumption. It seems like that is the most likely answer, although it's not a very good question/answer.
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-92F3AB1F-B4C5-4F25-A010-8820D7250350.html
Although promiscuous mode can be useful for tracking network activity, it is an insecure mode of operation,
The right answer is B, security policy just contains A,B and D, so C is the first dismissed, as for A and D, the default setting is Accept and B is Reject. Then if modify A from default setting Accept to Reject then will stop his suspects since no MAC address changed packages will be received by certain VM, the same as option D.
Correct answer is B: Key phrase is "obtain more information". Set Promiscuous mode to Accept to use an application in a virtual machine that analyzes or sniffs packets, such as a network-based intrusion detection system.
Forged Transmits
____________________________
The Forged transmits option affects traffic that is transmitted from a virtual machine.
When the Forged transmits option is set to Accept, ESXi does not compare source and effective MAC
addresses.
To protect against MAC impersonation, you can set the Forged transmits option to Reject. If you do, the
host compares the source MAC address being transmitted by the guest operating system with the
effective MAC address for its virtual machine adapter to see if they match. If the addresses do not match,
the ESXi host drops the packet.
The guest operating system does not detect that its virtual machine adapter cannot send packets by
using the impersonated MAC address. *****The ESXi host intercepts any packets with impersonated
addresses before they are delivered, and the guest operating system might assume that the packets are
dropped.*********************
For me it's "B"
Because we want to get more information, so set Promiscuous mode to Accept to use an application in a virtual machine that analyzes or sniffs packets, such as a network-based intrusion detection system.
Correct answer is B. Questions clearly says that "Which security policy should the customer modify to obtain more information?", in order to obtain "more info", you have to use promiscuous.
Read below kb
https://kb.vmware.com/s/article/1002934?lang=en
It says "This can be useful for intrusion detection monitoring or if a sniffer needs to analyze all traffic on the network segment."
To me it seems A: Mac Address Policy has "Accept" or "Reject" .... Reject says:
"When the Mac address changes option is set to Reject, ESXi does not honor requests to change the effective MAC address to a different address than the initial MAC address. This setting protects the host against MAC impersonation. The port that the virtual machine adapter used to send the request is disabled and the virtual machine adapter does not receive any more frames until the effective MAC address matches the initial MAC address. The guest operating system does not detect that the MAC address change request was not honored."
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html#GUID-942BD3AA-731B-4A05-8196-66F2B4BF1ACB
I would go with D
A is blocking traffic from vSwitch to VM (if initial MAC doesnt match actual MAC)
D is dropping traffic from VM at vSwitch (if MAC changed from initial)
so supposing someone changes MAC address I assume it wasnt done at vSphere level but rather on the VM itself (by naughty-windows-admin)
I was wrong - it can not be D at all ( https://wahlnetwork.com/2013/04/29/how-the-vmware-forged-transmits-security-policy-works/ )
...The key thing to note about Forged Transmits is that the security policy is only policing the Effective Address of the network adapter, which is the address set by the guest OS. The policy does not compare the virtual machine’s configured MAC address, also called the Initial Address, as that duty is handled by the MAC Address Changes policy....
for the question of gathering more information (instead of supressing) I would tend to go with B
The question is: "how to gain more information" not to "prevent" the issue. So the answer should be B, use the Promiscuous Mode to 'sniff' more details.
I think it 's A. Because the question is about the MAC address change and not talking about whether you need to catch traffic or other options.
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html#GUID-942BD3AA-731B-4A05-8196-66F2B4BF1ACB
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-3507432E-AFEA-4B6B-B404-17A020575358.html
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Grande
Highly Voted 4 years, 5 months agofastbikkel
4 years, 5 months agoacryz
Highly Voted 4 years, 4 months agoJoeTech88
Most Recent 2 years, 4 months agoNickNs
3 years, 3 months agosdus
3 years, 5 months agotgortva
3 years, 8 months agoRass2
3 years, 10 months agosahing
3 years, 5 months agobroh
3 years, 5 months agoGPunk
3 years, 10 months agoedineme
3 years, 10 months agoas2ah1
3 years, 11 months agoVinythepat
4 years agoenifant
4 years, 1 month agometapedro
4 years, 1 month agometapedro
4 years, 1 month agolgalford
4 years, 1 month ago5kyFx
4 years, 1 month ago5kyFx
4 years, 1 month agosasaz
3 years, 7 months agoleodelca23
4 years, 2 months ago