5.8 (L1) Host should reject promiscuous mode requests on standard virtual switches and port groups

Information

Enabling promiscuous mode allows all virtual machines in a port group to read all packets transmitted across it, regardless of the intended recipient. Rejecting promiscuous mode requests on standard virtual switches and port groups prevents unauthorized packet inspection, enhancing network isolation and data privacy.

Rejecting promiscuous mode requests helps maintain network isolation and data privacy by ensuring packets reach only their intended recipients. This control minimizes the risk of data interception or unauthorized packet inspection.

Solution

To set the policy to reject, perform the following:

- From the vSphere Web Client, select the host.
- Click Configure then expand Networking
- Select Virtual switches then click Edit
- Click on Security
- Set Promiscuous mode to Reject in the dropdown.
- Click on OK

Alternately, perform the following via the ESXi shell:

# esxcli network vswitch standard policy security set -v vSwitch2 -p false

Impact:

Some workloads like DHCP servers or security monitoring may require promiscuous mode. In such cases, a separate port group allowing this behavior, with only authorized virtual machines connected, is advisable to balance operational needs with security controls.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|12.4

Plugin: VMware

Control ID: c4ad584d4d272516cc500d60dd3adbf86a5e18316f70efa8772c64fbb2078d4e