Rule ID
SV-258964r961863_rule
Version
V2R3
CCIs
CCI-000366
The vSphere Distributed Virtual Switch can participate in Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), as a listener, advertiser, or both. The information is sensitive, including IP addresses, system names, software versions, and more. It can be used by an adversary to gain a better understanding of your environment, and to impersonate devices. It is also transmitted unencrypted on the network, and as such the recommendation is to disable it.
If distributed switches are not used, this is not applicable. From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Properties. Review the "Discovery Protocol" configuration. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch | Select Name,LinkDiscoveryProtocolOperation If any distributed switch does not have "Discovery Protocols" disabled, this is a finding.
From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Properties. Click "Edit". Select the advanced tab and update the "Type" under "Discovery Protocol" to disabled and click "OK". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch -Name "DSwitch" | Set-VDSwitch -LinkDiscoveryProtocolOperation "Disabled"