2.2 Configure the ESXi host firewall to restrict access to services running on the host

Information

The ESXi Firewall is enabled by default and allows ping (ICMP) and communication with
DHCP/DNS clients. Confirm that access to services are only allowed by authorized
IPs/networks to protect from outside attacks.

*Rationale*


Unrestricted access to services running on an ESXi host can expose a host to outside attacks
and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow
access from authorized networks.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following from the vSphere web client-
1. Select the host
2. Go to 'Manage' -> 'Settings' -> 'System' -> 'Security Profile'
3. In the 'Firewall' section select 'Edit...'.
4. For each enabled service, (e.g. ssh, vSphere Web Access, http client) provide a range
of allowed IP addresses.
5. Click 'Ok'.

Impact-Only systems in the IP whitelist/ACL will be able to connect to services on the ESXi server.

Default Value-The prescribed state is not the default state.

See Also

https://workbench.cisecurity.org/files/145

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: VMware

Control ID: 1d1d74bd9bf5886fc098c1bf860a17b481c87978ccd08a2f93349b0a589b9859