STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021: STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:SV-243108r719567_rule
V-243108
SRG-APP-000516
VCTR-67-000052
CAT II
10
Configuration of an IP-based VMkernel will be unique to each environment but, for example, to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel, do the following:
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters.
Select the Storage VMkernel (for any IP-based storage) and click the "Edit" button.
On the Port properties tab, uncheck everything (unless vSAN).
On the IP Settings tab, enter the appropriate IP address and subnet information and click "OK".
To configure a standard switch, from the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches.
Select a standard switch.
For each storage port group (iSCSI, NFS, vSAN), select the port group and click the "Edit" button.
On the properties page, enter the appropriate VLAN ID and click "OK".
To configure a distributed switch, from the vSphere Client, go to Networking.
Select and expand a distributed switch.
For each storage port group (iSCSI, NFS, vSAN), select the port group and navigate to Configure >> Settings >> Properties.
Click the "Edit" button.
On the VLAN page, enter the appropriate VLAN type and ID and click "OK".
If IP-based storage is not used, this is not applicable.
IP-based storage (iSCSI, NFS, vSAN) VMkernel port groups must be in a dedicated VLAN that can be on a standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment.
To check a standard switch, from the vSphere Client select the ESXi host and go to Configure >> Networking >> Virtual switches.
Select a standard switch. For each storage port group (iSCSI, NFS, vSAN), select the port group and click the "Details" button.
Note the VLAN ID associated with each port group and verify that it is dedicated to that purpose and is logically separated from other traffic types.
To check a distributed switch, from the vSphere Client go to Networking >> select and expand a distributed switch.
For each storage port group (iSCSI, NFS, vSAN), select the port group and navigate to the "Summary" tab.
Note the VLAN ID associated with each port group and verify that it is dedicated to that purpose and is logically separated from other traffic types.
If any IP-based storage networks are not isolated from other traffic types, this is a finding.
V-243108
False
VCTR-67-000052
If IP-based storage is not used, this is not applicable.
IP-based storage (iSCSI, NFS, vSAN) VMkernel port groups must be in a dedicated VLAN that can be on a standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment.
To check a standard switch, from the vSphere Client select the ESXi host and go to Configure >> Networking >> Virtual switches.
Select a standard switch. For each storage port group (iSCSI, NFS, vSAN), select the port group and click the "Details" button.
Note the VLAN ID associated with each port group and verify that it is dedicated to that purpose and is logically separated from other traffic types.
To check a distributed switch, from the vSphere Client go to Networking >> select and expand a distributed switch.
For each storage port group (iSCSI, NFS, vSAN), select the port group and navigate to the "Summary" tab.
Note the VLAN ID associated with each port group and verify that it is dedicated to that purpose and is logically separated from other traffic types.
If any IP-based storage networks are not isolated from other traffic types, this is a finding.
M
5399