All IP-based storage traffic must be isolated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
ESXI5-VMNET-000006	ESXI5-VMNET-000006	ESXI5-VMNET-000006_rule		Low

Description
Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the VMkernel management and service console network will limit unauthorized users from viewing the traffic.

Description

Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the VMkernel management and service console network will limit unauthorized users from viewing the traffic.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-ESXI5-VMNET-000006_chk )
Ask the SA if the system includes IP-based storage. If it does not, this check does not apply and is not a finding. Ask the SA if the physical network is accessed by any non-management (i.e., production) entity. If it is, this is a finding. To view VMkernel Networking configuration, from the vSphere Client/vCenter as administrator: 1. Select the host in the inventory pane. 2. On the host Configuration tab, click Networking. 3. In the vSphere Standard Switch view, select Properties and verify the following: A. At least one physical network adaptor is dedicated to management. B. The storage port group is on a management-only vSwitch. C. The storage port group vSwitch exclusively contains non-management port groups. If the conditions of test steps A, B, and C exist, this is not a finding. If any of the conditions of test steps A, B, and C do not exist, this is a finding.

Check Text ( C-ESXI5-VMNET-000006_chk )

Ask the SA if the system includes IP-based storage. If it does not, this check does not apply and is not a finding. Ask the SA if the physical network is accessed by any non-management (i.e., production) entity. If it is, this is a finding. To view VMkernel Networking configuration, from the vSphere Client/vCenter as administrator: 1. Select the host in the inventory pane. 2. On the host Configuration tab, click Networking. 3. In the vSphere Standard Switch view, select Properties and verify the following: A. At least one physical network adaptor is dedicated to management. B. The storage port group is on a management-only vSwitch. C. The storage port group vSwitch exclusively contains non-management port groups. If the conditions of test steps A, B, and C exist, this is not a finding. If any of the conditions of test steps A, B, and C do not exist, this is a finding.

Fix Text (F-ESXI5-VMNET-000006_fix)
Restrict physical network access to management-only entities. To modify VMkernel Networking configuration, from the vSphere Client/vCenter as administrator: 1. Select the host in the inventory pane. 2. On the host Configuration tab, click Networking. 3. In the vSphere Standard Switch view, select Properties and modify to enforce the following: A. At least one physical network adaptor is dedicated to management. B. The storage port group is on a management-only vSwitch. C. The storage port group vSwitch exclusively contains non-management port groups.

Fix Text (F-ESXI5-VMNET-000006_fix)

Restrict physical network access to management-only entities.

To modify VMkernel Networking configuration, from the vSphere Client/vCenter as administrator:

1. Select the host in the inventory pane.
2. On the host Configuration tab, click Networking.
3. In the vSphere Standard Switch view, select Properties and modify to enforce the following:

A. At least one physical network adaptor is dedicated to management.
B. The storage port group is on a management-only vSwitch.
C. The storage port group vSwitch exclusively contains non-management port groups.