ESXI5-VMNET-000006 - All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor.

Information

Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the VMkernel management and service console network will limit unauthorized users from viewing the traffic.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Restrict physical network access to management-only entities. To modify VMkernel Networking configuration, from the vSphere Client/vCenter as administrator: Select the host in the inventory pane. On the host Configuration tab, click Networking. In the vSphere Standard Switch view, select Properties and modify the properties to enforce the dedication of at least one physical network adaptor to management-only.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Group-ID|V-39361, Rule-ID|SV-250548r798643_rule, STIG-ID|ESXI5-VMNET-000006, STIG-Legacy|SV-51219, STIG-Legacy|V-39361, Vuln-ID|V-250548

Plugin: VMware

Control ID: 99a5d9e0a8230dc63a8a069d8a4e628ec7643aedc0da08af85a81a8df4752cba