Skip to content

The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.

An XCCDF Rule

Description

<VulnDiscussion>When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, the potential exists for a man-in-the-middle attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-256366r885709_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

From the vSphere Client, go to Host and Clusters. 

Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service.

For each iSCSI target, select the item and click "Edit".