The ESXi host firewall must be configured to restrict access to services running on the host.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-OS-99999-ESXI5-000134 | SRG-OS-99999-ESXI5-000134 | SRG-OS-99999-ESXI5-000134_rule | High |
| Description |
|---|
| Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from authorized networks only. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-SRG-OS-99999-ESXI5-000134_chk ) |
|---|
| From the vSphere client, select the host, then select "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", and verify "Only allow connections from the following networks" is selected and a range of authorized IP addresses is listed. If any enabled service's firewall entry is not configured for "Only allow connections from the following networks" with a range of authorized IP addresses listed, this is a finding. |
| Fix Text (F-SRG-OS-99999-ESXI5-000134_fix) |
|---|
| For each host, from the vSphere client, select the host and go to "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks", and provide a range of authorized IP addresses. |