From VMware ESXi Server 5.0 Security Technical Implementation Guide
Part of SRG-OS-99999-ESXI5
Associated with: CCI-000366
If products that use the dvfilter network API are not used, the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM to it, thereby potentially providing access to the network of other VMs on the host.
From the vSphere client select the host and click "Configuration >> Advanced Settings >> Net" and verify the value of Net.DVFilterBindIpAddress. For a host without a dvfilter-based network security appliance, the following kernel parameter value must be blank/empty: /Net/DVFilterBindIpAddress. For a host with a dvfilter-based network security appliance is being used, the value of this parameter must be set to match the appliance. If a dvfilter-based network security appliance is not used and the kernel parameter /Net/DVFilterBindIpAddress is populated, this is a finding. If a dvfilter-based network security appliance is used and the kernel parameter /Net/DVFilterBindIpAddress does not match the appliance, this is a finding.
From the vSphere client select the host and click "Configuration >> Advanced Settings >> Net" Set the value of Net.DVFilterBindIpAddress to blank if a dvfilter-based network security appliance is not used or (where used) set the value of Net.DVFilterBindIpAddress to match the dvfilter-based network security appliance.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer