7.3.3 Ensure that the vSwitch Promiscuous Mode policy is set to reject

Information

Ensure that the Promiscuous Mode Policy within the vSwitch is set to reject.

*Rationale*

When promiscuous mode is enabled for a virtual switch all virtual machines connected to
the dvPortgroup have the potential of reading all packets crossing that network.
Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended
setting. However, there might be a legitimate reason to enable it for debugging, monitoring
or troubleshooting reasons. Security devices might require the ability to see all packets on
a vSwitch. An exception should be made for the dvPortgroups that these applications are
connected to, in order to allow for full-time visibility to the traffic on that dvPortgroup.

Solution

Using the vSphere Client, connect to the vCenter Server and as administrator-1. Go to 'Home > Inventory > Hosts and clusters'.
2. Select each ESXi host with active virtual switches connected to active VM's requiring
securing.
3. Go to tab 'Configuration > Network > vSwitch name > Properties > Ports > vSwitch >
Default Policies > Security'
4. Set 'Promiscuous Mode' = 'Reject'Additionally, perform the following to implement the recommended configuration state via
the ESXi shell-# esxcli network vswitch standard policy security set -v vSwitch2 -p false

Impact-Security devices that require the ability to see all packets on a vSwitch will not operate
properly if the Promiscuous Mode parameter is set to Reject.

Default Value-The prescribed state is the default state.

See Also

https://workbench.cisecurity.org/files/902

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: VMware

Control ID: 25ddc45a03785e01a685aed734b55d51e6a9326066d973a564c7debf5abde179