Details
The ESXi firewall is enabled by default and allows ping (ICMP) and communication with DHCP/DNS clients. Access to services should only be allowed by authorized IP addresses/networks.
Rationale:
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized IP addresses and networks.
Impact:
Connections from IP addresses and ranges that are not explicitly set will be denied. Take care to ensure appropriate IPs/IP address ranges are allowed.
Solution
To properly restrict access to services running on an ESXi host, perform the following from the vSphere web client:
Select a host
Click Configure then expand System then select Firewall.
Click Edit to view services which are enabled (indicated by a check).
For each enabled service, (e.g., ssh, vSphere Web Access, http client) provide a list of allowed IP addresses.
Click OK.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Security Assessment and Authorization.This control applies to the following type of system VMware.