Information
The host's firewall is designed to block all incoming and outgoing network traffic by default, unless exceptions are explicitly made, thus minimizing the attack surface and barring unauthorized access. The firewall settings, while simplistic, are akin to router ACLs, and might require reflexive rules to be configured for certain network scenarios. Through the VMware Host Client, restrictions can be placed on a per-IP basis to only allow traffic from authorized networks, aligning with the security control's recommended value of permitting connections solely from authorized infrastructure and administration workstations.
Implementing a policy where only traffic from authorized networks is allowed, significantly enhances the host's security posture. It not only minimizes the attack surface but also helps in maintaining a clean network traffic flow, which is crucial for organizational security and operational efficiency.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To properly restrict access to services running on an ESXi host, perform the following from the vSphere web client:
- Select a host
- Click Configure then expand System then select Firewall
- Click Edit to view services which are enabled (indicated by a check).
- For each enabled service, (e.g., ssh, vSphere Web Access, http client) provide a list of allowed IP addresses.
- Click OK
Impact:
While this security control is instrumental in preventing unauthorized access, its simplistic firewall may necessitate additional configuration like reflexive rules, depending on the network setup. This could potentially require more administrative effort for correct configuration and management, ensuring that necessary communications are not inadvertently blocked.