Details
The ESXi firewall is enabled by default and allows ping (ICMP) and communication with DHCP/DNS clients. Access to services should only be allowed by authorized IP addresses/networks.
Rationale:
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized IP addresses and networks.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To properly restrict access to services running on an ESXi host, perform the following from the vSphere web client:
Select the host.
Go to ‘Configure’ -> ‘System’ -> ‘Security Profile’.
In the ‘Firewall’ section, select ‘Edit…’.
For each enabled service, (e.g., ssh, vSphere Web Access, http client) provide the range of allowed IP addresses.
Click ‘OK’.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Security Assessment and Authorization.This control applies to the following type of system Unix.