V-258759

Discussion

Virtual machines (VMs) might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI, and NFS. This configuration might expose IP-based storage traffic to unauthorized VM users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from any other traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and VMs will limit unauthorized users from viewing the traffic.

Check Content

If IP-based storage is not used, this is not applicable.

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> Networking >> VMkernel adapters.

Review each VMkernel adapter that is used for IP-based storage traffic and view the "Enabled services".

Review the VLAN associated with each VMkernel that is used for IP-based storage traffic. Verify with the system administrator that they are dedicated for that purpose and are logically separated from other functions.

If any services are enabled on an NFS or iSCSI IP-based storage VMkernel adapter, this is a finding.

If any services are enabled on a vSAN VMkernel adapter other than vSAN, this is a finding.

If any IP-based storage networks are not isolated from other traffic types, this is a finding.