SRG-OS-000132-ESXI5 - vSphere management traffic must be on a restricted network.


The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


The vSphere management port group should be in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the vSphere management port group's VLAN is not used by production virtual machines. As root (or using a different administrator Active Directory account), from the vSphere Client/vCenter, select the host; select the Configuration tab; then select Hardware/Networking. Select switch Properties for the Management Network NIC, and select the Ports tab. If any virtual machine traffic is found in the port list, create another vSwitch and migrate either the Management Port group or virtual machine traffic to a different vSwitch. Under the Configuration tab, select the Add Networking wizard, select either the Virtual Machine or VMkernel radio button, click Next and follow the directions for selecting the remaining switch type and connection settings based on the local system's hardware.

See Also

Item Details


References: 800-53|SC-2, CAT|II, CCI|CCI-001082, Group-ID|V-39393, Rule-ID|SV-250635r798904_rule, STIG-ID|SRG-OS-000132-ESXI5, STIG-Legacy|SV-51251, STIG-Legacy|V-39393, Vuln-ID|V-250635

Plugin: VMware

Control ID: 1be1525eb9f31b4c744ea9f496357697b05a76dbc6330dc9806aa3558b19061c