The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
An XCCDF Rule
Description
<VulnDiscussion>The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network. The Management VMkernel port group can be on a standard or distributed virtual switch but must be on a dedicated VLAN. The Management VLAN must not be shared by any other function and must not be accessible to anything other than management-related functions such as vCenter.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-256412r919022_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Configure >> Networking >> VMkernel adapters.
Select the Management VMkernel and click "Edit...". On the "Port" properties tab, uncheck all services except "Management". Click "OK".