UCF STIG Viewer Logo

The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-OS-000148-ESXI5-PNF SRG-OS-000148-ESXI5-PNF SRG-OS-000148-ESXI5-PNF_rule Medium
Description
This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote communications path from a remote device is a virtual private network. When a non-remote connection is established using a virtual private network, the configuration settings prevent split-tunneling. Split-tunneling might otherwise be used by remote users to communicate with the information system as an extension of the system and to communicate with local resources, such as a printer or file server. Since the remote device, when connected by a non-remote connection, becomes an extension of the information system allowing dual communications paths, such as split-tunneling, in effect allowing unauthorized external connections into the system. This is a split-tunneling requirement that can be controlled via the operating system by disabling interfaces. Applicable, but permanent not-a-finding - Host (ESXi Server) isolation on a separate, non-routed, management network is required. Access via VPN/split-tunneling would be granted at the OOB/Management network boundary, prior to the server itself.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-SRG-OS-000148-ESXI5-PNF_chk )
ESXi supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding.
Fix Text (F-SRG-OS-000148-ESXI5-PNF_fix)
This requirement is permanent not a finding. No fix is required.