The service console and virtual machines are not on dedicated VLANs or network segments.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15802 | ESX0130 | SV-16741r1_rule | Medium |
| Description |
|---|
| Virtual machine traffic destined for a physical network should always be placed on a separate physical adapter from service console traffic. It is appropriate to use as many additional physical adapters as are necessary to support virtual machine networks. It may be sufficient to place the service console and virtual machine networks on separate VLANs connected to the same adapter, but connecting them to separate physical networks provides better isolation and more configuration control than is available using VLANs alone. The ESX Server VLAN implementation provides adequate network isolation, but it is possible that traffic could be misdirected due to improper configuration or security vulnerabilities in external networking hardware. It is safer to keep them physically separate. |
| STIG | Date |
|---|---|
| VMware ESX 3 Virtual Center | 2016-05-03 |
Details
| Check Text ( C-16019r1_chk ) |
|---|
| 1. Log into VirtualCenter with the VI Client and select the ESX server from the inventory panel. The hardware configuration page for the server appears. 2. Click the Configuration tab, and click Networking. 3. Examine the virtual switches and their respective VLAN IDs. A separate VLAN ID should be configured for the service console and virtual machine traffic. If the virtual machines and service console are on the same VLAN ID, this is a finding. |
| Fix Text (F-15745r1_fix) |
|---|
| Configure separate VLANs or network segments for the service console and virtual machine traffic. |