7.3 (L1) Ensure the vSwitch Promiscuous Mode policy is set to reject

Information

This recommendation is intended to address configuring a standard switch. Ensure the Promiscuous Mode Policy within the vSwitch is set to reject. Promiscuous mode can be set at the vSwitch and/or the Portgroup level. You can override switch-level settings at the Portgroup level.

When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the dvPortgroup have the potential of reading all packets crossing that network. This could enable unauthorized access to the contents of those packets.

Solution

To set the policy to reject, perform the following:

- From the vSphere Web Client, select the host.
- Click Configure then expand Networking
- Select Virtual switches then click Edit
- Click on Security
- Set Promiscuous mode to Reject in the dropdown.
- Click on OK

Alternately, perform the following via the ESXi shell:

# esxcli network vswitch standard policy security set -v vSwitch2 -p false

Impact:

There might be a legitimate reason to enable promiscuous mode for debugging, monitoring, or troubleshooting reasons. Security devices might require the ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that these applications are connected to in order to allow for full-time visibility to the traffic on that dvPortgroup.

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|12.4

Plugin: VMware

Control ID: 02e71e5de3a7091cb0eee0d10d7197d065a594da9887387d8bee6e66f047baa3