STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

DISA Rule

SV-239305r674844_rule

Vulnerability Number

V-239305

Group Title

SRG-OS-000423-VMM-001700

Rule Version

ESXI-67-000050

Severity

CAT II

CCI(s)

• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.

Weight

10

Fix Recommendation

Configuration of an IP-Based VMkernel will be unique to each environment. However, as an example, to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel, do the following:

vSAN Example:
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters.

Select the dedicated vSAN VMkernel adapter and click Edit settings.

On the Port properties tab, uncheck everything but "vSAN.”

On the IP Settings tab, enter the appropriate IP address and subnet information and click "OK".

Set the appropriate VLAN ID by navigating to Configure >> Networking >> Virtual switches.

Select the appropriate portgroup (iSCSI, NFS, vSAN) and click Edit settings.

On the properties tab, enter the appropriate VLAN ID and click "OK".

Check Contents

If IP-based storage is not used, this is Not Applicable.

Verify that IP-based storage (iSCSI, NFS, vSAN) VMkernel port groups are in a dedicated VLAN, which can be on a standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment.

From the vSphere Client, select the ESXi Host and go to Configure >> Networking >> VMkernel adapters.

Review the VLANs associated with any IP-based storage VMkernels and verify it is dedicated for that purpose and logically separated from other functions.

If any IP-based storage networks are not isolated from other traffic types, this is a finding.

Vulnerability Number

V-239305

Documentable

False

Rule Version

ESXI-67-000050

Severity Override Guidance

If IP-based storage is not used, this is Not Applicable.

Verify that IP-based storage (iSCSI, NFS, vSAN) VMkernel port groups are in a dedicated VLAN, which can be on a standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment.

From the vSphere Client, select the ESXi Host and go to Configure >> Networking >> VMkernel adapters.

Review the VLANs associated with any IP-based storage VMkernels and verify it is dedicated for that purpose and logically separated from other functions.

If any IP-based storage networks are not isolated from other traffic types, this is a finding.

Check Content Reference

M

Target Key

5326

Comments