Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-258969 | VCSA-80-000304 | SV-258969r961863_rule | Medium |
Description |
---|
Transit encryption must be enabled to prevent unauthorized disclosure information and to protect the confidentiality of organizational information. vSAN data-in-transit encryption has the following characteristics: -vSAN uses AES-256 bit encryption on data in transit. -Forward secrecy is enforced for vSAN data-in-transit encryption. -Traffic between data hosts and witness hosts is encrypted. -File service data traffic between the VDFS proxy and VDFS server is encrypted. -vSAN file services inter-host connections are encrypted. -vSAN uses symmetric keys that are generated dynamically and shared between hosts. Hosts dynamically generate an encryption key when they establish a connection, and they use the key to encrypt all traffic between the hosts. You do not need a key management server to perform data-in-transit encryption. Each host is authenticated when it joins the cluster, ensuring connections only to trusted hosts are allowed. When a host is removed from the cluster, it is authentication certificate is removed. vSAN data-in-transit encryption is a cluster-wide setting. When enabled, all data and metadata traffic is encrypted as it transits across hosts. |
STIG | Date |
---|---|
VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2024-07-11 |
Check Text ( C-62709r934563_chk ) |
---|
If no clusters are enabled for vSAN, this is not applicable. From the vSphere Client, go to Host and Clusters. Select the vCenter Server >> Select the cluster >> Configure >> vSAN >> Services >> Data Services. Review the "Data-in-transit encryption" status. or From a PowerCLI command prompt while connected to the vCenter server, run the following commands: $vsanclusterconf = Get-VsanView -Id VsanVcClusterConfigSystem-vsan-cluster-config-system $vsanclusterconf.VsanClusterGetConfig((Get-Cluster -Name Repeat these steps for each vSAN enabled cluster in the environment. If "Data-In-Transit encryption" is not enabled, this is a finding. |
Fix Text (F-62618r934564_fix) |
---|
From the vSphere Client, go to Host and Clusters. Select the vCenter Server >> Select the target cluster >> Configure >> vSAN >> Services >> Data Services. Click "Edit". Enable "Data-In-Transit encryption" and choose a rekey interval suitable for the environment then click "Apply". |