ESXI-65-000056 - The ESXi host must configure the firewall to restrict access to services running on the host.

Information

Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under the Firewall section click Edit and for each enabled service uncheck the check box to 'Allow connections from any IP address,' and input the site specific network(s) required.Configure this for Incoming and Outgoing connections.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

$esxcli = Get-EsxCli
#This disables the allow all rule for the target service
$esxcli.network.firewall.ruleset.set($false,$true,'sshServer')
$esxcli.network.firewall.ruleset.allowedip.add('192.168.0.0/24','sshServer')

This must be done for each enabled service.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y21M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CAT|II, CCI|CCI-000366, Rule-ID|SV-207655r388482_rule, STIG-ID|ESXI-65-000056, STIG-Legacy|SV-104145, STIG-Legacy|V-94059, Vuln-ID|V-207655

Plugin: Unix

Control ID: a64083cc3746bdf5e607e31a03294ea29d8b3f4c2cf39d69799efa552d416bf8