The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
ESXI5-VMNET-000019	ESXI5-VMNET-000019	ESXI5-VMNET-000019_rule		Medium

Description
When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESXI Server, and this is the recommended setting. However, there might be a legitimate reason to enable it for debugging, monitoring or troubleshooting reasons. Security devices might require the ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that these applications are connected to, in order to allow for full-time visibility to the traffic on that dvPortgroup.

Description

When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESXI Server, and this is the recommended setting. However, there might be a legitimate reason to enable it for debugging, monitoring or troubleshooting reasons. Security devices might require the ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that these applications are connected to, in order to allow for full-time visibility to the traffic on that dvPortgroup.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-ESXI5-VMNET-000019_chk )
From the vSphere Client/vCenter Server as administrator: Go to "Home>> Inventory>> Hosts and clusters". Select each ESXi host with active virtual switches connected to active VMs requiring securing. Go to tab "Home>> Inventory>>Networking". Individually select each dvPortgroup, then go to tab "Summary>>Edit Settings>>Policies>> Security". Verify "Promiscuous Mode" = "Reject". If the "Promiscuous Mode" parameter is not set to "Reject", this is a finding.

Check Text ( C-ESXI5-VMNET-000019_chk )

From the vSphere Client/vCenter Server as administrator:

Go to "Home>> Inventory>> Hosts and clusters".
Select each ESXi host with active virtual switches connected to active VMs requiring securing.
Go to tab "Home>> Inventory>>Networking". Individually select each dvPortgroup, then go to tab "Summary>>Edit Settings>>Policies>> Security".
Verify "Promiscuous Mode" = "Reject".

If the "Promiscuous Mode" parameter is not set to "Reject", this is a finding.

Fix Text (F-ESXI5-VMNET-000019_fix)
From the vSphere Client/vCenter Server as administrator: Go to "Home>> Inventory>> Hosts and clusters". Select each ESXi host with active virtual switches connected to active VMs requiring securing. Go to tab "Home>> Inventory>> Networking". Individually select each dvPortgroup, then go to tab "Summary>> Edit Settings>>Policies>> Security". Set the "Promiscuous Mode" keyword to "Reject".