7.1.3 Ensure that the Promiscuous Mode policy is set to reject

Information

Configure the vDS Promiscuous Mode setting to reject.

*Rationale*

When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to
the dvPortgroup have the potential of reading all packets across that network, meaning
only the virtual machines connected to that dvPortgroup. Promiscuous mode is disabled by
default on the ESXi host, and this is the recommended setting. However, there might be a
legitimate reason to enable it for debugging, monitoring or troubleshooting reasons.
Security devices might require the ability to see all packets on a vSwitch. An exception
should be made for the dvPortgroups that these applications are connected to, in order to
allow for full-time visibility to the traffic on that dvPortgroup.

Solution

1. Verify by using the vSphere Client to connect to the vCenter Server and logging in as
an administrator.
2. Go to 'Home > Inventory > Networking'.
3. Select each dvPortgroup connected to active VMs requiring securing.
4. Go to tab 'Summary > Edit Settings > Policies > Security'.
5. Configure 'Promiscuous Mode' = 'Reject'

Impact-Security devices that require the ability to see all packets on a vSwitch will not operate
properly if the Promiscuous Mode parameter is set to Reject.

Default Value-Promiscuous mode is disabled by default. This is the prescribed setting.

See Also

https://workbench.cisecurity.org/files/902

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: VMware

Control ID: 90f2483eaca4c5e3a4590d3ccd91cadab2fa2672c75dbb27f721448577ed6bbd