ESXI-70-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.

Information

The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.

The Management VMkernel port group can be on a standard or distributed virtual switch but must be on a dedicated VLAN. The Management VLAN must not be shared by any other function and must not be accessible to anything other than management-related functions such as vCenter.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> Networking >> VMkernel adapters.

Select the Management VMkernel and click 'Edit...'. On the 'Port' properties tab, uncheck all services except 'Management'. Click 'OK'.

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> Networking >> Virtual switches.

Find the port group that contains the Management VMkernel and click the '...' button next to the name. Click 'Edit Settings'.

On the 'Properties' tab, change the 'VLAN ID' to one dedicated to Management traffic. Click 'OK'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CAT|II, CCI|CCI-002418, Rule-ID|SV-256412r919022_rule, STIG-ID|ESXI-70-000049, Vuln-ID|V-256412

Plugin: VMware

Control ID: a2acf3c26e85be2037c74fcb0fac781278590dc2254dfb946602189e9b93360f