VI Web Access sessions with VirtualCenter are unencrypted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15873	ESX0740	SV-16814r1_rule	ECCT-1 ECCT-2	Medium

Description
User sessions with VirtualCenter should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client and VI Web Access. To encrypt session data, the sending component, such as a gateway or redirector, applies ciphers to alter the data before transmitting it. The receiving component uses a key to decrypt the data, returning it to its original form. To ensure the protection of the data transmitted to and from external network connections, all VI client and web access sessions with VirtualCenter will be encrypted with a FIPS 140-2 encryption algorithm.

Description

User sessions with VirtualCenter should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client and VI Web Access. To encrypt session data, the sending component, such as a gateway or redirector, applies ciphers to alter the data before transmitting it. The receiving component uses a key to decrypt the data, returning it to its original form. To ensure the protection of the data transmitted to and from external network connections, all VI client and web access sessions with VirtualCenter will be encrypted with a FIPS 140-2 encryption algorithm.

STIG	Date
VMware ESX 3 Virtual Center	2016-05-03

Details

Check Text ( C-16230r1_chk )
1. Login to VirtualCenter through the VI Client. 2. Select an ESX Server host from the inventory panel. 3. Select the configuration tab. 4. Select advanced settings in the software section. 5. Verify the “Config.Defaults.security.host.ruissl” is checked. This requires SSL to be used when communicating with the host over 902. If this is not checked, this is a finding.

Fix Text (F-15833r1_fix)
Encrypt all VI Web Access sessions with VirtualCenter.