The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

An XCCDF Rule

Description

Virtual machines (VMs) might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI, and NFS. This configuration might expose IP-based storage traffic to unauthorized VM users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from any other traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and VMs will limit unauthorized users from viewing the traffic.

ID: SV-256413r958908_rule
Version: ESXI-70-000050
Severity: Medium
References: CCI-002418
Updated: about 2 months ago

Remediation Templates

Configuration of an IP-based VMkernel will be unique to each environment.

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> Networking >> VMkernel adapters.
Select the VMkernel used for IP-based storage and click "Edit...". On the "Port" properties tab, uncheck all services. Click "OK".

Note: For VMkernels used for vSAN, leave the vSAN service enabled and uncheck all others.

From the vSphere Client, go to Hosts and Clusters >> select the ESXi Host >> Configure >> Networking >> Virtual switches.

Find the port group that is dedicated to IP-based storage and click the "..." button next to the name. Click "Edit Settings".

On the "Properties" tab, change the "VLAN ID" to one dedicated for IP-based storage traffic. Click "OK".

The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

Description

Remediation Templates

A Manual Procedure