Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
GEN003603-ESXI5-PF | GEN003603-ESXI5-PF | GEN003603-ESXI5-PF_rule | Medium |
Description |
---|
Responding to broadcast Internet Control Message Protocol (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Applicable, but permanent finding - The hypervisor does not support this functionality (No ndd network tuning facility). The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network. The vSphere management port group should be in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the vSphere management port group's VLAN is not used by production virtual machines. Check that the network segment is not routed, except possibly to networks where other management-related entities are found. Production virtual machine traffic must not be routed to this network. The firewall is enabled by default and allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients. |
STIG | Date |
---|---|
VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Check Text ( C-GEN003603-ESXI5-PF_chk ) |
---|
ESXi does not support this requirement. This is a permanent finding. |
Fix Text (F-GEN003603-ESXI5-PF_fix) |
---|
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed. |