ESXI5-VMNET-000020 - The system must ensure there are no unused ports on a distributed virtual port group.

Information

The number of ports available on a dvSwitch distributed port group must be adjusted to exactly match the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the number of ports to just what is needed also limits the accidental or malicious potential to move a virtual machine to an unauthorized network. This is especially relevant if the management network is on a dvPortgroup, because it could help prevent putting a rogue virtual machine on this network.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

As administrator, find all dvSwitches from the vSphere Client/vCenter:
Home >> Inventory >> Networking view.

For dvSwitches with dvPortgroups, edit the settings for that dvPortgroup. Limit (match or approximate) the number of ports in that port group to the number of vNICs residing in that port group.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Group-ID|V-39377, Rule-ID|SV-250562r798685_rule, STIG-ID|ESXI5-VMNET-000020, STIG-Legacy|SV-51235, STIG-Legacy|V-39377, Vuln-ID|V-250562

Plugin: VMware

Control ID: f94deda1b822cc523813084e77e738f4fbcb4853ab3fb0970a1e4df8927b91ad