Configuring the host firewall

The ESXi firewall configuration is very similar to many firewalls that we are already familiar with from our day-to-day work duties. It is important to note that even though a port might be configured as open in the firewall configuration, should the corresponding service or daemon be stopped, an unexpected connection error might result. For example, the SSH server port is open by default on a new ESXi build. An SSH connection will fail, however, because the SSH service is not running to respond to the request.

Getting ready

In order to proceed, we require access to vSphere Client. The client can be run on any modern Windows desktop operating system or server operating system.

Note

vSphere Client will not run from a Windows Domain Controller.

The vSphere Client can be downloaded from the link provided on the ESXi host web page or from www.vmware.com.

How to do it…

Perform the following steps:

1. Navigate to the Configuration tab and select Security Profile.
2. Click on Properties… in the Firewall section, as shown in the following screenshot:
   
3. In our example, we're selecting the SSH Client rule.
4. After you select the rule, you will be presented with a dialog box, as shown in the following screenshot.
5. We have the option to allow traffic from all networks or to restrict the allowed traffic from specific hosts or known subnets.

   Note

   It is always a good idea to restrict inbound traffic if the network where the host resides is well-defined. This takes extra work and the configuration should be documented thoroughly.

6. After you make changes to your IP address range, save the changes; in our example, we'll select the Allow connections from any IP address option.
7. Then, you can enable your firewall rule for the SSH client by clicking on OK to close the dialog box, as shown in the following screenshot:
   

How it works…

The firewall rules allow and disallow inbound and outbound ports to send or receive traffic from the ESXi host. It is critical that the ports be configured appropriately since unauthorized access to the host could potentially affect a large number of guest machines being hosted on the hypervisor.

The firewall rules are updated once the OK button is clicked.

Note

If a service is in an autostart configuration, it will start if a port is opened.

There's more

An exhaustive list of ESXi hardening controls are available in the hardening guide from VMware, including the command line and PowerCLI commands for the settings presented in this chapter.

TPM encryption

Trusted Platform Module (TPM) is offered on Intel-based systems. Systems with a TPM chip provide protection of the hypervisor, including third-party drivers. TPM provides cryptographic processing on the motherboard that operating systems and applications, such as disk encryption, can take advantage of.

In order to utilize protection, both the TPM and Trusted Execution Technology (TXT) settings must be enabled in the server BIOS settings. Once the settings are enabled, ESXi will automatically configure TPM/TXT at boot. During boot, TPM measures the VMkernel and a subset of loaded modules, looking for corruption and unauthorized changes or updates. The current version of TPM is Version 2.0.

See also

• Trusted platform guide: http://www.intel.com/support/motherboards/server/sb/CS-032413.htm
• vSphere 5.5 hardening guide: http://blogs.vmware.com/vsphere/2013/10/vsphere-5-5-hardening-guide-released.html