ESXI-67-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI, and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network.

To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and virtual machines will limit unauthorized users from viewing the traffic.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configuration of an IP-Based VMkernel will be unique to each environment. However, as an example, to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel, do the following:

vSAN Example:
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters.

Select the dedicated vSAN VMkernel adapter and click Edit settings.

On the Port properties tab, uncheck everything but 'vSAN.'

On the IP Settings tab, enter the appropriate IP address and subnet information and click 'OK'.

Set the appropriate VLAN ID by navigating to Configure >> Networking >> Virtual switches.

Select the appropriate portgroup (iSCSI, NFS, vSAN) and click Edit settings.

On the properties tab, enter the appropriate VLAN ID and click 'OK'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

Item Details

References: CAT|II, CCI|CCI-002418, Rule-ID|SV-239305r674844_rule, STIG-ID|ESXI-67-000050, STIG-Legacy|SV-104133, STIG-Legacy|V-94047, Vuln-ID|V-239305

Plugin: VMware

Control ID: e32d9d51479fb5cf47e767e3d312969b06f50c6313a494a4e0acbdbd728f143e