The ESXi host must protect the confidentiality and integrity of transmitted information by isolating ESXi management traffic.
An XCCDF Rule
Description
<VulnDiscussion>The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network. The Management VMkernel port group can be on a standard or distributed virtual switch but must be on a dedicated VLAN. The Management VLAN must not be shared by any other function and must not be accessible to anything other than management-related functions such as vCenter.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-258758r933335_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configuration of the management VMkernel will be unique to each environment.
For example, to modify the IP address and VLAN information to the correct network on a distributed switch, do the following:
From the vSphere Client, go to Hosts and Clusters.