Details

http://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.host.NetworkPolicy.SecurityPolicy.html

Solution

1. Verify by using the vSphere Client to connect to the vCenter Server and logging in as
an administrator.
2. Go to ‘Home > Inventory > Networking’.
3. Select each dvPortgroup connected to active VMs requiring securing.
4. Go to tab ‘Summary > Edit Settings > Policies > Security’.
5. Configure ‘Promiscuous Mode’ = ‘Reject’

Impact-Security devices that require the ability to see all packets on a vSwitch will not operate
properly if the Promiscuous Mode parameter is set to Reject.

Default Value-Promiscuous mode is disabled by default. This is the prescribed setting.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/902

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system VMware.

References

• 800-53|SC-7(12)
• CSCv6|9.2

Source

• Tenable.com/audits