Detections
Analytics
ESXI-67-000056 - The ESXi host must configure the firewall to restrict access to services running on the host.
Information
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
From the vSphere Client, select the ESXi host and go to Configure >> System >> Firewall.Under the 'Firewall' section, click 'Edit'.
For each enabled service, uncheck the check box to 'Allow connections from any IP address' and input the site-specific network(s) required.
Configure this for incoming and outgoing connections.
The following example formats are acceptable:
192.168.0.0/24
192.168.1.2, 2001::1/64
fd3e:29a6:0a81:e478::/64
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
$esxcli = Get-EsxCli -v2
#This disables the allow all rule for the target service. We are targeting the sshServer service in this example.
$arguments = $esxcli.network.firewall.ruleset.set.CreateArgs()
$arguments.rulesetid = 'sshServer'
$arguments.allowedall = $false
$esxcli.network.firewall.ruleset.set.Invoke($arguments)
#Next add the allowed IPs for the service. Note doing the 'vSphere Web Client' service this way may disable access but may be done through vCenter or through the console.
$arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
$arguments.rulesetid = 'sshServer'
$arguments.ipaddress = '10.0.0.0/8'
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments)
This must be done for each enabled service.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 6.7 ESXi OS v1r3
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-239310r674859_rule, STIG-ID|ESXI-67-000056, Vuln-ID|V-239310
Plugin: Unix
Control ID: 21aa68a0d641dafe94e2f527a4c041ed01b7b7d71e059c2ca26a08ca5b95e522