7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Ensure the Promiscuous Mode Policy within the vSwitch is set to reject. Promiscuous mode can be set at the vSwitch and/or the Portgroup level. You can override switch-level settings at the Portgroup level.

Rationale:

When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the dvPortgroup have the potential of reading all packets crossing that network. This could enable unauthorized access to the contents of those packets.

Solution

To set the policy to reject, perform the following:

In the vSphere Web Client, navigate to the host.

Go to 'Hosts and Clusters' -> 'vCenter' -> host.

On the Configure tab, click Networking, and select Virtual switches.

Select a standard switch from the list and click the pencil icon to edit settings.

Select Security.

Set Promiscuous Mode to 'Reject'.

Click 'OK'.

Alternately, perform the following via the ESXi shell:

# esxcli network vswitch standard policy security set -v vSwitch2 -p false

Default Value:

reject

References:

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.networking.doc/GUID-891147DD-3E2E-45A1-9B50-7717C3443DD7.html

Notes:

There might be a legitimate reason to enable promiscuous mode for debugging, monitoring, or troubleshooting reasons. Security devices might require the ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that these applications are connected to in order to allow for full-time visibility to the traffic on that dvPortgroup.

See Also

https://workbench.cisecurity.org/files/2816

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv7|12.4

Plugin: VMware

Control ID: 218d9dabda76dfc3f6fffcb313fe8c84b3db69b2bdf3d37b26e94c1724d4c00b