The system must enable bidirectional CHAP authentication for iSCSI traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-OS-99999-ESXI5-000141	SRG-OS-99999-ESXI5-000141	SRG-OS-99999-ESXI5-000141_rule		Low

Description
When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-SRG-OS-99999-ESXI5-000141_chk )
This check applies to the use of iSCSI storage. If iSCSI storage is not used, this check is not applicable. In the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if "Use Chap" is selected with a "Name" and a "Secret" configured. If iSCSI storage is used and "Use CHAP" is not selected and configured with a "Name" and a "Secret", this is a finding.

Check Text ( C-SRG-OS-99999-ESXI5-000141_chk )

This check applies to the use of iSCSI storage. If iSCSI storage is not used, this check is not applicable.
In the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if "Use Chap" is selected with a "Name" and a "Secret" configured.
If iSCSI storage is used and "Use CHAP" is not selected and configured with a "Name" and a "Secret", this is a finding.

Fix Text (F-SRG-OS-99999-ESXI5-000141_fix)
In the vSphere Client, select the host, and then choose: Configuration >> Storage Adaptors >> iSCSI Initiator Properties >> CHAP >> CHAP (Target Authenticates Host). Select "Use Chap", and configure the "Name" and "Secret" options.