"One significant issue with virtual machine security is
with virtual switch isolation," said Burton Group’s Wolf."The current
all-or-nothing approach to making a virtual switch ‘promiscuous’ in
order to connect it to an IDS/IPS is not favorable to security." …
This is an overall decent article but parts are very misleading.
I got in touch with Andrew Lambeth of VMware‘s Networking team for clarification. This is what he had to say:
… The vswitch-wide setting that probably confused
him is not the only way to enable promiscuous mode. The right way to
configure a vswitch for IDS/IPS is to create a separate portgroup from
those used for normal VMs and configure only that portgroup for
"Promiscuous Allowed". This prevents any normal VMs connected to the
other portgroups on the vswitch from being allowed to sniff traffic not
intended for them while allowing only the IDS/IPS VM to sniff.