Search the VMware Knowledge Base (KB)
View by Article ID

Updating the vCenter Server Appliance (vCSA) firewall rules to DISA STIG compliance (2047585)

  • 7 Ratings

Symptoms

The firewall settings in the vCenter Server Appliance (vCSA) are not compliant with DISA STIG settings. These settings are a part of an ongoing effort to further secure VMware components.
 
Note: The preceding link was correct as of May 13, 2015, If you find the link is broken, provide a feedback and a VMware employee will update the link.

Purpose

This article provides steps to easily configure the vSphere 5.1 and 5.5 vCSA firewall to a DISA STIG level of compliance.

This level of compliance will be the default setting in a future version of the vCSA and as such has been tested by VMware.

Cause

This issue occurs because the vSphere 5.1 and 5.5 vCSA is not DISA STIG compliant out of the box.

Resolution

To resolve this issue, use the attached firewall.txt file as a base and modify it for your environment.

To modify and use the firewall.txt file:

  1. Download the firewall.txt file attached to this Knowledge Base article.
  2. Using a text editor, create a new text file named firewall.STIG in the /etc/sysconfig/network/scripts directory.

    Note: Ensure to avoid MS-DOS end of line (EOL) characters in the resulting .STIG file.  This can be corrected by viewing the firewall.STIG file on vCenter Server using a text editor and confirming no EOL characters are visible at line breaks.

  3. Copy the contents of the firewall.txt file into the new firewall.STIG file.
  4. Update the ipv4_whitelist and ipv6_whitelist variables with values appropriate for your environment. These variables are used to whitelist the management network. This example illustrates the syntax for these variables:

    ipv4_whitelist=137.23.133.0/255.255.255.0
    ipv6_whitelist=3ffe:ffff:100::1/128

    Note: Multiple subnets can be set using a comma (,) separator.  For IPv6 networks add ::1 if no other networks are to be added.

  5. Modify the IPfilter DROP SPOOF lines with values appropriate for your environment. If you do not update these lines and are on a private subnet and using IPs in these spoofed listings, you will see errors.
  6. Save and close the firewall.STIG file.
  7. Navigate to the /etc/sysconfig/network/scripts directory by running the command:

    cd /etc/sysconfig/network/scripts

  8. Back up the original firewall file by running the command:

    mv firewall firewall.orig

  9. Set permissions on the new firewall.STIG file by running the command:

    chmod ugo+rx firewall.STIG

  10. Create a symlink to the new firewall.STIG file by running the command:

    ln -s firewall.STIG firewall

  11. Reboot the vCSA for the changes to take effect.

Additional Information

DISA STIG vulnerabilities are resolved in these firewall updates:
  • GEN003602
  • GEN007140
  • GEN008520
  • GEN008540

See Also

Update History

06/17/2014 - Added vCenter Server Appliance 5.5 to Product Versions.

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 7 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 7 Ratings
Actions
KB: