The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices.

From VMware ESXi Server 5.0 Security Technical Implementation Guide

Part of SRG-OS-000152

Associated with: CCI-001118

SV-51254r1_rule The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices.

Vulnerability discussion

Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from authorized networks only.

Check content

From the vSphere client, select the host, then select "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", and verify "Only allow connections from the following networks" is selected and a range of authorized IP addresses is listed. If any enabled service's firewall entry is not configured for "Only allow connections from the following networks" with a range of authorized IP addresses listed, this is a finding.

Fix text

For each host, from the vSphere client, select the host and go to "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks", and provide a range of authorized IP addresses.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer