The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject.

From VMware ESXi Server 5.0 Security Technical Implementation Guide

Part of ESXI5-VMNET

Associated with: CCI-000366

SV-51234r2_rule The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject.

Vulnerability discussion

When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting. However, there might be a legitimate reason to enable it for debugging, monitoring or troubleshooting reasons. Security devices might require the ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that these applications are connected to, in order to allow for full-time visibility to the traffic on that dvPortgroup.

Check content

If a vNetwork Distributed Switch (vDS) is not configured, this is not applicable. If the dvPortgroup contains only security devices that continuously monitor all dvPortgroup traffic switch packets, this check is not a finding. From the vSphere Client/vCenter Server as administrator: Go to Home >> Inventory >> Hosts and clusters. Select each ESXi host with active virtual switches connected to active VMs requiring securing. Go to tab Home >> Inventory >> Networking. Individually select each dvPortgroup, then go to tab Summary >>Edit Settings >>Policies >> Security. Verify "Promiscuous Mode" = "Reject". If the "Promiscuous Mode" parameter is not set to "Reject", this is a finding.

Fix text

From the vSphere Client/vCenter Server as administrator: Go to Home >> Inventory >> Hosts and clusters. Select each ESXi host with active virtual switches connected to active VMs requiring securing. Go to tab Home >> Inventory >> Networking. Individually select each dvPortgroup, then go to tab Summary >> Edit Settings >> Policies >> Security. Set the "Promiscuous Mode" keyword to "Reject".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer