← Back to VMware vSphere 8.0 vCenter Security Technical Implementation Guide

V-258965

CAT II (Medium)

The vCenter Server must remove unauthorized port mirroring sessions on distributed switches.

Rule ID

SV-258965r961863_rule

STIG

VMware vSphere 8.0 vCenter Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000366

Discussion

The vSphere Distributed Virtual Switch can enable port mirroring sessions allowing traffic to be mirrored from one source to a destination. If port mirroring is configured unknowingly this could allow an attacker to observe network traffic of virtual machines.

Check Content

If distributed switches are not used, this is not applicable.

From the vSphere Client, go to "Networking".

Select a distributed switch >> Configure >> Settings >> Port Mirroring.

Review any configured "Port Mirroring" sessions.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VDSwitch | select Name,@{N="Port Mirroring Sessions";E={$_.ExtensionData.Config.VspanSession.Name}}

If there are any unauthorized port mirroring sessions configured, this is a finding.

Fix Text

From the vSphere Client, go to "Networking".

Select a distributed switch >> Configure >> Settings >> Port Mirroring.

Select the unauthorized "Port Mirroring" session and click "Remove". Click "OK".