Details
When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.
Solution
From the vSphere Client, select the ESXi host and go to Configure >> Storage >> Storage Adapters.
Select the iSCSI adapter >> Properties >> Authentication and click the ‘Edit’ button.
Set Authentication method to ‘Use bidirectional CHAP’ and enter a unique secret for each traffic flow direction.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq ‘iscsi’} | Set-VMHostHba -ChapType Required -ChapName ‘chapname’ -ChapPassword ‘password’ -MutualChapEnabled $true -MutualChapName ‘mutualchapname’ -MutualChapPassword ‘mutualpassword’
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.
References
- 800-53|CM-6b.
- CAT|III
- CCI|CCI-000366
- Rule-ID|SV-239308r674853_rule
- STIG-ID|ESXI-67-000054
- STIG-Legacy|SV-104141
- STIG-Legacy|V-94055
- Vuln-ID|V-239308