The system must enable bidirectional CHAP authentication for iSCSI traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-39298	SRG-OS-99999-ESXI5-000141	SV-51114r1_rule		Low

Description
When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.

STIG	Date
VMware ESXi Server 5.0 Security Technical Implementation Guide	2017-01-06

Details

Check Text ( C-46562r1_chk )
This check applies to the use of iSCSI storage. If iSCSI storage is not used, this check is not applicable. In the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if "Use Chap" is selected with a "Name" and a "Secret" configured. If iSCSI storage is used and "Use CHAP" is not selected and configured with a "Name" and a "Secret", this is a finding.

Check Text ( C-46562r1_chk )

This check applies to the use of iSCSI storage. If iSCSI storage is not used, this check is not applicable.
In the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if "Use Chap" is selected with a "Name" and a "Secret" configured.
If iSCSI storage is used and "Use CHAP" is not selected and configured with a "Name" and a "Secret", this is a finding.

Fix Text (F-44277r1_fix)
In the vSphere Client, select the host, and then choose: Configuration >> Storage Adaptors >> iSCSI Initiator Properties >> CHAP >> CHAP (Target Authenticates Host). Select "Use Chap", and configure the "Name" and "Secret" options.