UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must configure the firewall to restrict access to services running on the host.


Overview

Finding ID Version Rule ID IA Controls Severity
V-63281 ESXI-06-000056 SV-77771r1_rule Medium
Description
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.
STIG Date
VMware vSphere ESXi 6.0 Security Technical Implementation Guide 2017-07-11

Details

Check Text ( C-64015r1_chk )
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under the Firewall section select properties and for each enabled service click Firewall and review the allowed IPs.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -eq $true} | Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}}

If for an enabled service "Allow connections from any IP address" is selected, this is a finding.
Fix Text (F-69199r1_fix)
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under the Firewall section select properties and for each enabled service click the "Only allow connections from the following networks" option and input the site specific network(s).

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

$esxcli = Get-EsxCli
#This disables the allow all rule for the target service
$esxcli.network.firewall.ruleset.set($false,$true,"sshServer")
$esxcli.network.firewall.ruleset.allowedip.add("192.168.0.0/24","sshServer")

This must be done for each enabled service.