ESXI5-VMNET-000021 - vMotion traffic must be isolated.

Information

The security issue with vMotion migrations is that information is transmitted in plain text, and anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially stage a MiTM attack in which the contents are modified during migration.
vMotion traffic must be sequestered from production traffic on an isolated network. This network must be non-routable (no layer-3 router spanning this and other networks), preventing outside access to the network.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To create a vMotion vSwitch from the vSphere Client/vCenter, select the ESXi host, and select the configuration tab. In the hardware panel, select Networking; click the Add Network link; choose VMKernel and click next; select the desired NIC(s). In the port groups dialog box type a name, (example: 'vMotion'). Next, select the 'use this port group for vMotion' and set the IP address and subnet mask and gateway where/as required.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Group-ID|V-39378, Rule-ID|SV-250563r798688_rule, STIG-ID|ESXI5-VMNET-000021, STIG-Legacy|SV-51236, STIG-Legacy|V-39378, Vuln-ID|V-250563

Plugin: VMware

Control ID: ae4cec6a1b5908e78aae8e2f586ded1638c9b9410d3af2ff6c94e3424f1b9874