2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the host

Information

The ESXi Firewall is enabled by default and allows ping (ICMP) and communication with
DHCP/DNS clients. Access to services should only be allowed by authorized IP addresses/networks.

*Rationale*


Unrestricted access to services running on an ESXi host can expose a host to outside attacks
and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow
access from authorized networks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To properly restrict access to services running on an ESXi host, perform the following from the vSphere web client:
1. Select the host.
2. Go to 'Configure' -> 'System' -> 'Security Profile'.
3. In the 'Firewall' section, select 'Edit...'.
4. For each enabled service, (e.g., ssh, vSphere Web Access, http client) provide the
range of allowed IP addresses.
5. Click 'OK'.

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv7|9.4

Plugin: Unix

Control ID: e30f3e40e28f4d1162d1a37a0998c236b35abc8b83850ac17839492fea4aa38f