Do not use promiscuous mode on network interfaces

Promiscuous mode is the equivalent of setting up a span or mirror port on a physical switch and could have security as well as performance implications if turned on for a vswitch. Unless it is required it is recommended that this feature be turned off.

To disable this feature you need to perform the following steps:

1. Login to VirtualCenter or your ESX host using the VI Client
2. Select the configuration tab for your ESX host
3. Select networking from the hardware pane
4. Select the properties for the vswitch you wish to change
5. Select Edit from the ports tab
6. Select the security tab
7. Change the setting for promiscuous mode to reject.

1. Segregation of Duties – Ensure that you assign the appropriate security roles and permissions for access to your VC, ESX and VM Guests
2. Audit, Secure and lock down the VC Database
3. Disable direct ‘ROOT’ logins for each of your ESX Servers
4. Ensure that the ESX Firewall is enabled and configured correctly, disable ports that are not required.
5. Ensure you have adequate logging enabled and enable remote logging to a syslog server.
6. Assess the security of each VM based on function and network location.  eg. eMail, DMZ.  Apply security measures appropriate for the zone they are in.
7. Make sure that the ESX host and all VM Guests are patched to the latest levels.
8. Apply the same basic security controls to your VM’s as you would in the physical world, eg. AV
9. Segment network access within your vSwitches and apply all security measures like disabling promiscuous mode.
10. Regularly audit and assess the security configuration of your virtual environment.