The system must ensure there are no unused ports on a distributed virtual port group.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-39377	ESXI5-VMNET-000020	SV-51235r3_rule		Low

Description
The number of ports available on a dvSwitch distributed port group must be adjusted to exactly match the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the number of ports to just what is needed also limits the accidental or malicious potential to move a virtual machine to an unauthorized network. This is especially relevant if the management network is on a dvPortgroup, because it could help prevent putting a rogue virtual machine on this network.

Description

The number of ports available on a dvSwitch distributed port group must be adjusted to exactly match the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the number of ports to just what is needed also limits the accidental or malicious potential to move a virtual machine to an unauthorized network. This is especially relevant if the management network is on a dvPortgroup, because it could help prevent putting a rogue virtual machine on this network.

STIG	Date
VMware ESXi Server 5.0 Security Technical Implementation Guide	2017-01-06

Details

Check Text ( C-46651r5_chk )
If a vNetwork Distributed Switch (vDS) is not configured, this is not applicable. As administrator, find all dvSwitches from the vSphere Client/vCenter, Home >> Inventory >> Networking view. For any dvSwitches with dvPortgroups, verify the settings for that dvPortgroup. Compare the number of ports in that port group to the number of vNICs connecting to that port group. The number of ports must match, or approximate to the nearest number of menu selectable ports, the number of vNICs residing in that port group. If the number of ports in the port group do not match (or approximate to the nearest number of menu selectable ports) the number of VM NICs connecting to that port group, this is a finding.

Check Text ( C-46651r5_chk )

If a vNetwork Distributed Switch (vDS) is not configured, this is not applicable.

As administrator, find all dvSwitches from the vSphere Client/vCenter, Home >> Inventory >> Networking view. For any dvSwitches with dvPortgroups, verify the settings for that dvPortgroup. Compare the number of ports in that port group to the number of vNICs connecting to that port group. The number of ports must match, or approximate to the nearest number of menu selectable ports, the number of vNICs residing in that port group.

If the number of ports in the port group do not match (or approximate to the nearest number of menu selectable ports) the number of VM NICs connecting to that port group, this is a finding.

Fix Text (F-44391r4_fix)
As administrator, find all dvSwitches from the vSphere Client/vCenter: Home >> Inventory >> Networking view. For dvSwitches with dvPortgroups, edit the settings for that dvPortgroup. Limit (match or approximate) the number of ports in that port group to the number of vNICs residing in that port group.