VMware Cloud Community
blabarbera
Enthusiast
Enthusiast
‎08-13-2013 12:00 PM

ESXi Hardening - host services/firewall

When it comes to securing inbound/outbound host traffic is there a comprehensive list of native vSphere/vCenter services (in English) that shows which systems require what ports? For instance, I am assuming that access to certain ports/services are needed by vCenter, and some of them are very obvious, but the rest might as well be in Latin. For example, CIM Server. I have no idea who or what needs access to it, but it's there by default and I know that the firewall rule should not be set to "all". vShield-Endpoint-Mux - where should I be letting this traffic go to?

Most of the rules/services are not necessarily "friendly-names" and I am not finding much in the way of guidance on a few of them. While I love reading white-papers it would be nice to be able to quickly secure a host without having to read a stack of papers.

Any help is appreciated.

0 Kudos
5 Replies
vFantastic
Enthusiast
Enthusiast
‎08-13-2013 12:01 PM

Check out the hardening guides http://www.vmware.com/support/support-resources/hardening-guides.html

0 Kudos
blabarbera
Enthusiast
Enthusiast
‎08-13-2013 05:14 PM

I actually started there, but it only raised more questions, and doesn't really answer my question. I understand about disabling services that aren't needed, but for the services that ARE needed there isn't much about securing them further via host firewall rules, nor is there much information about what exactly some of them even are or do. (I'm just supposed to allow "All" inbound traffic for some of these? That doesn't seem wise.)

0 Kudos
Josh26
Virtuoso
Virtuoso
‎08-13-2013 05:24 PM

It certainly feels like one of those interesting contradictions. You receive a "hardening guide", which, as you'd expect, details the ports in use, so you can lock the other ports down.

It then lists every service in use, and asks you to open said port. The end result is security that's only improved on paper.

Unfortunately this sort of political game is what happens when something is quite secure by default, as opposed to Windows "have a million services listening that you don't need". Every one of those ports listed are required for some piece of functionality. CIM for example, provides hardware monitoring. None of those are required to be accessed from any devices other than other ESXi servers, or the vCenter server. I would recommend running these servers in a management LAN - and then nothing needs to be opened but the RDP port to your vCenter server.

0 Kudos
JarryG
Expert
Expert
‎08-13-2013 10:16 PM

"...is there a comprehensive list of native vSphere/vCenter services (in English) that shows which systems require what ports?..."

Maybe this could help, but I'm not sure if it is still valid:

http://communities.vmware.com/servlet/JiveServlet/download/38-43626/Connections%20&%20Ports%20in%20E...

_____________________________________________ If you found my answer useful please do *not* mark it as "correct" or "helpful". It is hard to pretend being noob with all those points! 😉
0 Kudos
blabarbera
Enthusiast
Enthusiast
‎08-14-2013 06:10 AM

Even if it's not entirely accurate that is still better than anything I have found thus far. Thank you.

0 Kudos