From VMware ESXi Server 5.0 Security Technical Implementation Guide
Part of ESXI5-VMNET
Associated with: CCI-000366
When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESXi Server.
Use the vSphere Client to connect to the vCenter Server and as administrator: Go to "Home > Inventory > Hosts and clusters". Select each ESXi host with active virtual switches connected to active VM's requiring securing. Go to the tab "Configuration >> Network >> vSwitch(?) >> Properties >> Ports >> vSwitch >> Default Policies >> Security". Check that the "Promiscuous Mode" is set to "Reject". If the "Promiscuous Mode" is not set to "Reject", this is a finding.
From the vSphere Client/vCenter Server as administrator: Go to "Home>> Inventory>> Hosts and clusters". Select each ESXi host with active virtual switches connected to active VMs requiring securing. Go to tab "Configuration>> Network>> vSwitch(?)>> Properties>> Ports>> vSwitch>> Default Policies>> Security". Set "Promiscuous Mode" = "Reject".
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer