The system must use a reverse-path filter for IPv4 network traffic when possible.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
GEN003613-ESXI5-PF	GEN003613-ESXI5-PF	GEN003613-ESXI5-PF_rule		Medium

Description
Reverse-path filtering provides protection against spoofed source addresses by causing the system to discard packets that have source addresses for which the system has no route or if the route does not point towards the interface on which the packet arrived. Reverse-path filtering should be used whenever possible. Depending on the role of the system, reverse-path filtering may cause legitimate traffic to be discarded and, therefore, should be used in a more permissive mode or not at all. Permanent finding - The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network. The vSphere management port group should be in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the vSphere management port group's VLAN is not used by production virtual machines. Check that the network segment is not routed, except possibly to networks where other management-related entities are found. Production virtual machine traffic must not be routed to this network.

Description

Reverse-path filtering provides protection against spoofed source addresses by causing the system to discard packets that have source addresses for which the system has no route or if the route does not point towards the interface on which the packet arrived. Reverse-path filtering should be used whenever possible. Depending on the role of the system, reverse-path filtering may cause legitimate traffic to be discarded and, therefore, should be used in a more permissive mode or not at all. Permanent finding - The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network. The vSphere management port group should be in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the vSphere management port group's VLAN is not used by production virtual machines. Check that the network segment is not routed, except possibly to networks where other management-related entities are found. Production virtual machine traffic must not be routed to this network.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-GEN003613-ESXI5-PF_chk )
ESXi does not support this requirement. This is a permanent finding.

Fix Text (F-GEN003613-ESXI5-PF_fix)
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed.