Detections
Analytics
VCSA-70-000279 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
Information
Virtual machines might share virtual switches and virtual local area networks (VLAN) with the IP-based storage configurations.IP-based storage includes vSAN, Internet Small Computer System Interface (iSCSI), and Network File System (NFS). This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network.
To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and virtual machines will limit unauthorized users from viewing the traffic.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Configuration of an IP-based VMkernel will be unique to each environment.To configure VLANs and traffic types, do the following:
Standard switch:
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters.
Select the Storage VMkernel (for any IP-based storage). Click 'Edit...' and click the 'Port properties' tab.
Uncheck everything (unless vSAN).
Click the 'IPv4' settings or 'IPv6' settings tab.
Enter the appropriate IP address and subnet information.
Click 'OK'.
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. Select a standard switch.
For each storage port group (iSCSI, NFS, vSAN), select the port group and click '...'. Click 'Edit Settings'. On the 'Properties' tab, enter the appropriate VLAN ID and click 'OK'.
Distributed switch:
From the vSphere Client, go to 'Networking'.
Select a distributed switch >> Configure >> Settings >> Topology.
Select the Storage VMkernel (for any IP-based storage). Click '...' and click 'Edit Settings'.
On the 'Port properties' tab, uncheck everything (unless vSAN).
Click the 'IPv4' settings or 'IPv6' settings tab.
Enter the appropriate IP address and subnet information.
Click 'OK'.
From the vSphere Client, go to Networking >> Select and expand a distributed switch.
For each storage port group (iSCSI, NFS, vSAN), select the port group and navigate to Configure >> Settings >> Properties.
Click 'Edit'.
Click the 'VLAN' tab.
Enter the appropriate VLAN type and ID and click 'OK'.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 7.0 vCenter v1r3
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-256359r885688_rule, STIG-ID|VCSA-70-000279, Vuln-ID|V-256359
Plugin: VMware
Control ID: 20d792d397c015d5e18d55e559a8bb450fc09bb80e3bcb2208d796634dca74f6