Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

VMware NSX-T SDN Controller Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2022-03-09
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The NSX-T Controller must be configured as a cluster in active/active mode to preserve any information necessary to determine cause of a system failure and to maintain network operations with least disruption to workload processes and flows.
SC-24 - Medium - CCI-001665 - V-251734 - SV-251734r810060_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001665
Version
TSDC-3X-000011
Vuln IDs
  • V-251734
Rule IDs
  • SV-251734r810060_rule
Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the SDN controller. Preserving network element state information helps to facilitate continuous network operations minimal or no disruption to mission-essential workload processes and flows.
Checks: C-55171r810058_chk

From the NSX-T Manager web interface, go to System >> Appliances. Verify there are three NSX-T Managers deployed, a VIP or external load balancer is configured, and the cluster is in a healthy state. If there are not three NSX-T Managers deployed and a VIP or external load balancer configured and the cluster is in a healthy state, this is a finding.

Fix: F-55125r810059_fix

To add additional NSX-T Manager appliances do the following: From the NSX-T Manager web interface, go to System >>Appliances, and then click "Add NSX Appliance". Supply the required information to add additional nodes as needed, up to three total. To configure NSX-T with a cluster VIP or external load balancer do the following: From the NSX-T Manager web interface, go to System >> Appliances, and then click "Set Virtual IP", enter a VIP that is part of the same subnet as the other management nodes, and then click "Save". To configure NSX-T with an external load balancer, setup an external load balancer with the following requirements: - Configure the external load balancer to control traffic to the NSX Manager nodes. - Configure the external load balancer to use the round robin method and configure source persistence for the load balancer's virtual IP. - Create or import a signed certificate and apply the same certificate to all the NSX Manager nodes. The certificate must have the FQDN of the virtual IP and each of the nodes in the SAN. Note: An external load balancer will not work with the NSX Manager VIP. Do not configure an NSX Manager VIP if using an external load balancer. If the cluster status is not in a healthy state identify the degraded component on the appliance and troubleshoot the issue with the error information provided.

b
The NSX-T Controller cluster must be on separate physical hosts.
CM-6 - Medium - CCI-000366 - V-251735 - SV-251735r810063_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
TSDC-3X-000020
Vuln IDs
  • V-251735
Rule IDs
  • SV-251735r810063_rule
SDN relies heavily on control messages between a controller and the forwarding devices for network convergence. The controller uses node and link state discovery information to calculate and determine optimum pathing within the SDN network infrastructure based on application, business, and security policies. Operating in the proactive flow instantiation mode, the SDN controller populates forwarding tables to the SDN-aware forwarding devices. At times, the SDN controller must function in reactive flow instantiation mode; that is, when a forwarding device receives a packet for a flow not found in its forwarding table, it must send it to the controller to receive forwarding instructions. With total dependence on the SDN controller for determining forwarding decisions and path optimization within the SDN infrastructure for both proactive and reactive flow modes of operation, having a single point of failure is not acceptable. A controller failure with no failover backup leaves the network in an unmanaged state. Hence, it is imperative that the SDN controllers are deployed as clusters on separate physical hosts to guarantee network high availability.
Checks: C-55172r810061_chk

This check must be performed in vCenter. From the vSphere Client, go to Administration >> Hosts and Clusters >> Select the cluster where the NSX-T Managers are deployed >> Configure >> Configuration >> VM/Host Rules. If the NSX-T Manager cluster does not have rules applied to it that separate the nodes onto different physical hosts, this is a finding.

Fix: F-55126r810062_fix

This fix must be performed in vCenter. From the vSphere Client, go to Administration >> Hosts and Clusters >> Select the cluster where the NSX-T Managers are deployed >> Configure >> Configuration >> VM/Host Rules. Click "Add" to create a new rule. Provide a name and select "Separate Virtual Machines" under Type. Add the three NSX-T Manager virtual machines to the list and click "OK".