ESXI-06-000050 - The system must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic.

Information

Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and Virtual Machines will limit unauthorized users from viewing the traffic.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configuration of an IP-Based VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel do the following:

From the vSphere Client select the ESXi host and go to Configuration >> Networking >> On the vSwitch that contains the iSCSI VMkernel select Properties. Select the iSCSI VMkernel and click Edit >> On the General tab uncheck everything and set the appropriate VLAN ID >> Go to the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CAT|II, CCI|CCI-002418, Group-ID|V-63269, Rule-ID|SV-77759r1_rule, STIG-ID|ESXI-06-000050, Vuln-ID|V-63269

Plugin: VMware

Control ID: b062d1199a7e85e8fdd04764eab3016eb11c20035257ce6c38beb56975ba7baf