2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the host

Information

The ESXi firewall is enabled by default and allows ping (ICMP) and communication with DHCP/DNS clients. Access to services should only be allowed by authorized IP addresses/networks.

Rationale:

Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized IP addresses and networks.

Impact:

Connections from IP addresses and ranges that are not explicitly set will be denied. Take care to ensure appropriate IPs/IP address ranges are allowed.

Solution

To properly restrict access to services running on an ESXi host, perform the following from the vSphere web client:

Select a host

Click Configure then expand System then select Firewall.

Click Edit to view services which are enabled (indicated by a check).

For each enabled service, (e.g., ssh, vSphere Web Access, http client) provide a list of allowed IP addresses.

Click OK.

See Also

https://workbench.cisecurity.org/benchmarks/7798