Information Technology Reference
In-Depth Information
8.
Change the i rewall coni guration permissions back to their original value:
chmod 444 /etc/vmware/firewall/service.xml
9.
Update the i rewall coni guration by running the following command:
esxcli network firewall refresh
10.
Finally, list the i rewall rules again to ensure that the changes are active:
esxcli network firewall ruleset list
Maintaining the ESXi i rewall coni guration is an important part of ESXi host security.
Another recommended security practice is to isolate the ESXi management network to con-
trol network access to the management interfaces of your ESXi hosts. You can accomplish this
using a network i rewall, a technique we describe in the next section.
Controlling Network Access to the ESXi Management Interfaces
The ESXi i rewall allows you to control access to specii c TCP/IP ports on an ESXi host, but an
additional step to consider is a network i rewall to control access to the management interfaces
of the ESXi host. Using a network i rewall to enforce access control lists (ACLs) that govern
which systems are allowed to make connections to the management interfaces of your ESXi
hosts is a complementary step to using the ESXi i rewall, and it follows the well-known recom-
mended practice of using “defense in depth.”
Should you choose to isolate the management interfaces of your ESXi hosts on a separate net-
work segment, keep in mind the following two important considerations:
Be sure to allow proper access from vCenter Server to the ESXi hosts. You can handle this
by allowing the appropriate ports through the i rewall or by adding an extra net work
interface on the isolated management segment to the vCenter Server system. Personally,
we prefer the latter approach, but both approaches are perfectly valid.
◆
Don't forget to allow access from the vMA or from systems on which you will run PowerCLI
scripts if you'll be accessing the ESXi hosts directly. If the vMA or the PowerCLI scripts will
be connecting to vCenter Server, then you just need to allow access to vCenter Server.
◆
Using a Jump Box
One technique that we've seen, and used, in a fair number of installations is a
jump box
. h is is a
system—typically a Windows Server-based system—that has network interfaces to the isolated
management network as well as the rest of your network segments. You'll connect to the jump box
and then connect from there to your vSphere environment using the vSphere Client, PowerCLI,
vM A, or other tools. h is neatly sidesteps the issue of having to create fi rewall rules to allow tra c
into or out of the isolated management network but still provides access to manage the environ-
ment. If you are considering isolating the management interfaces of your ESXi hosts, a jump box
might be an approach to consider for your environment.
