VMware NSX-T Tier-0 Gateway RTR V1R2

b

The NSX-T Tier-0 Gateway must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

AC-4 - Medium - CCI-001368 - V-251744 - SV-251744r810116_rule

RMF Control

AC-4

Severity

M

CCI

CCI-001368

Version

T0RT-3X-000003

Vuln IDs

V-251744

Rule IDs

SV-251744r810116_rule

Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path.

Checks: C-55181r810114_chk

If the Tier-0 Gateway is not using eBGP, this is Not Applicable. From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways. For every Tier-0 Gateway, expand Tier-0 Gateway >>BGP. Near to BGP Neighbors, click on the number present to open the dialog. For each neighbor examine any router filters to determine if any inbound route filters are applied. If the In Filter is not configured with a prefix list that rejects prefixes belonging to the local AS, this is a finding.

Fix: F-55135r810115_fix

To configure a route filter do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways >> edit the target Tier-0 gateway. Expand Routing and open the IP Prefix List dialog. Edit an existing, or add a new prefix list that contains the prefixes belonging to the local AS to deny them. Click "Save". To apply a route filter to a BGP neighbor do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways and edit the target Tier-0 gateway. Expand BGP, and next to BGP Neighbors, click on the number present to open the dialog. Select "Edit" on the target BGP Neighbor. Open the router filter dialog and add or edit an existing router filter. Configure the In Filter with the filter previously created and click "Save", "Add", "Apply", and "Save".

b

The NSX-T Tier-0 Gateway must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.

AC-4 - Medium - CCI-001414 - V-251745 - SV-251745r810119_rule

RMF Control

AC-4

Severity

M

CCI

CCI-001414

Version

T0RT-3X-000013

Vuln IDs

V-251745

Rule IDs

SV-251745r810119_rule

If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security. A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. As stated in the DoD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces." Therefore, it is imperative that the network engineers have documented their multicast topology and thereby know which interfaces are enabled for multicast. Once this is done, the zones can be scoped as required.

Checks: C-55182r810117_chk

From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway >> Interfaces, and click on the number of interfaces present to open the interfaces dialog. Expand each interface that is not required to support multicast routing, then expand "Multicast" and verify PIM is disabled. If PIM is enabled on any interfaces that are not supporting multicast routing, this is a finding.

Fix: F-55136r810118_fix

Disable multicast PIM routing on interfaces that are not required to support multicast by doing the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces", click on the number of interfaces present to open the interfaces dialog, and then select "Edit" on the target interface. Expand "Multicast", change PIM to "disabled", and then click "Save".

a

The NSX-T Tier-0 Gateway must be configured to have all inactive interfaces removed.

AC-4 - Low - CCI-001414 - V-251746 - SV-251746r810122_rule

RMF Control

AC-4

Severity

L

CCI

CCI-001414

Version

T0RT-3X-000016

Vuln IDs

V-251746

Rule IDs

SV-251746r810122_rule

An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. If an interface is no longer used, the configuration must be deleted.

Checks: C-55183r810120_chk

From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway >> Interfaces, and click on the number of interfaces present to open the interfaces dialog. Review each interface present to determine if they are not in use or inactive. If there are any interfaces present on a Tier-0 Gateway that are not in use or inactive, this is a finding.

Fix: F-55137r810121_fix

Disable multicast PIM routing on interfaces that are not required to support multicast by doing the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces", then click on the number of interfaces present to open the interfaces dialog. Select "Delete" on the unneeded interface, and then click "Delete" again to confirm.

a

The NSX-T Tier-0 Gateway must be configured to have the DHCP service disabled if not in use.

CM-7 - Low - CCI-000381 - V-251747 - SV-251747r810125_rule

RMF Control

CM-7

Severity

L

CCI

CCI-000381

Version

T0RT-3X-000027

Vuln IDs

V-251747

Rule IDs

SV-251747r810125_rule

A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.

Checks: C-55184r810123_chk

From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways. For every Tier-0 Gateway expand the Tier-0 Gateway to view the DHCP configuration. If a DHCP profile is configured and not in use, this is a finding.

Fix: F-55138r810124_fix

From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways and edit the target Tier-0 Gateway. Click "Set DHCP Configuration", select "No Dynamic IP Address Allocation", and then click "Save". Close "Editing".

b

The NSX-T Tier-0 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

SC-5 - Medium - CCI-001095 - V-251748 - SV-251748r810128_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001095

Version

T0RT-3X-000034

Vuln IDs

V-251748

Rule IDs

SV-251748r810128_rule

DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, QoS, or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).

Checks: C-55185r810126_chk

From the NSX-T Manager web interface, go to Networking >> Segments. For every Segment connected to a Tier-0 Gateway, Expand Segment >> Expand Segment Profiles >> Record QOS Segment Profile. Go to Segment Profiles >> Expand QOS Segment Profile recorded in previous steps. If there are traffic priorities specified by the Combatant Commands/Services/Agencies needed to ensure sufficient capacity for mission-critical traffic and none are configured, this is a finding.

Fix: F-55139r810127_fix

To create a segment QoS profile do the following: From the NSX-T Manager web interface, go to Networking >> Segments >> Segment Profiles. Click "Add Segment Profile" and select "QoS". Configure a profile name and QoS settings as needed, and then click "Save". To apply a QoS profile to a segment do the following: From the NSX-T Manager web interface, go to Networking >> Segments >> Edit the target segment. Expand Segment Profiles and under QoS select the profile previously created and click "Save".

c

The NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself.

SC-7 - High - CCI-001097 - V-251749 - SV-251749r810131_rule

RMF Control

SC-7

Severity

H

CCI

CCI-001097

Version

T0RT-3X-000038

Vuln IDs

V-251749

Rule IDs

SV-251749r810131_rule

The route processor handles traffic destined to the router, the key component used to build forwarding paths, and is also instrumental with all network management functions. Hence, any disruption or DoS attack to the route processor can result in mission critical network outages.

Checks: C-55186r810129_chk

If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewalls rules to verify rules exist to restrict traffic to itself. If a rule or rules do not exist to restrict traffic to external interface IPs, this is a finding.

Fix: F-55140r810130_fix

To configure firewall rule(s) to restrict traffic destined to interfaces on a Tier-0 Gateway do the following: From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and select the target Tier-0 Gateway from the drop-down. Click "Add Rule" (Add a policy first if needed) and configure the destinations to include all IPs for external interfaces. Update the action to "Drop" or "Reject". Enable logging, then under the "Applied To" field, select the target Tier-0 Gateways and click "Publish" to enforce the new rule. Other rules may be constructed to allow traffic to external interface IPs if required above this default deny rule.

c

Unicast Reverse Path Forwarding (uRPF) must be enabled on the NSX-T Tier-0 Gateway.

SC-5 - High - CCI-001094 - V-251750 - SV-251750r810134_rule

RMF Control

SC-5

Severity

H

CCI

CCI-001094

Version

T0RT-3X-000051

Vuln IDs

V-251750

Rule IDs

SV-251750r810134_rule

A compromised host in an enclave can be used by a malicious platform to launch cyber attacks on third parties. This is a common practice in "botnets", which are a collection of compromised computers using malware to attack other computers or networks. Distributed denial-of-service (DDoS) attacks frequently leverage IP source address spoofing to send packets to multiple hosts that in turn will then send return traffic to the hosts with the IP addresses that were forged. This can generate significant amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet; thereby mitigating IP source address spoofing.

Checks: C-55187r810132_chk

From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways. For every Tier-0 Gateway, expand Tier-0 Gateway >> Interfaces, and then click on the number of interfaces present to open the interfaces dialog. Expand each interface to view the URPF Mode configuration. If URPF Mode is not set to "Strict" on any interface, this is a finding.

Fix: F-55141r810133_fix

Enable strict URPF mode on interfaces by doing the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand Interfaces, then click on the number of interfaces present to open the interfaces dialog. Select "Edit" on the target interface. From the drop-down, set the URPF mode to "Strict" and then click "Save".

b

The NSX-T Tier-0 Gateway must be configured to implement message authentication for all control plane protocols.

CM-6 - Medium - CCI-000366 - V-251751 - SV-251751r856692_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

T0RT-3X-000054

Vuln IDs

V-251751

Rule IDs

SV-251751r856692_rule

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates.

Checks: C-55188r810135_chk

If the Tier-0 Gateway is not using BGP or OSPF, this is Not Applicable. Since the NSX-T Tier-0 Gateway does not reveal if a BGP password is configured, interview the router administrator to determine if a password is configured on BGP neighbors. If BGP neighbors do not have a password configured, this is a finding. To verify OSPF areas are using authentication do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways. For every Tier-0 Gateway expand the "Tier-0 Gateway". Expand "OSPF", click the number next to Area Definition, and view the Authentication field for each area. If OSPF area definitions do not have Password or MD5 set for authentication, this is a finding. Note: OSPF support was introduced in version 3.1.1.

Fix: F-55142r810136_fix

To set authentication for BGP neighbors do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to BGP Neighbors, click on the number present to open the dialog, then select "Edit" on the target BGP Neighbor. Under Timers & Password, enter a password up to 20 characters, and then click "Save". To set authentication for OSPF Area definitions do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand OSPF. Next to Area Definition, click on the number present to open the dialog, and then select "Edit" on the target OSPF Area. Change the Authentication drop-down to Password or MD5, enter a Key ID and/or Password, and then click "Save".

b

The NSX-T Tier-0 Gateway must be configured to use a unique key for each autonomous system (AS) with which it peers.

CM-6 - Medium - CCI-000366 - V-251752 - SV-251752r856693_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

T0RT-3X-000055

Vuln IDs

V-251752

Rule IDs

SV-251752r856693_rule

If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors.

Checks: C-55189r810138_chk

If the Tier-0 Gateway is not using BGP, this is Not Applicable. Since the NSX-T Tier-0 Gateway does not reveal the current password, interview the router administrator to determine if unique keys are being used. If unique keys are not being used for each AS, this is a finding.

Fix: F-55143r810139_fix

To set authentication for BGP neighbors do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to BGP Neighbors, click on the number present to open the dialog, and then select "Edit" on the target BGP Neighbor. Under Timers & Password, enter a password up to 20 characters that is different from other autonomous systems, and then click "Save".

b

The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.

SC-5 - Medium - CCI-002385 - V-251753 - SV-251753r856694_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

T0RT-3X-000064

Vuln IDs

V-251753

Rule IDs

SV-251753r856694_rule

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.

Checks: C-55190r810141_chk

If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP unreachable messages. If a rule does not exist to drop ICMP unreachable messages, this is a finding.

Fix: F-55144r810142_fix

To configure a shared rule to drop ICMP unreachable messages do the following: From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (Add a policy first if needed), under services select "ICMP Destination Unreachable", and then click "Apply". Enable logging, and under the Applied To field select the target Tier-0 Gateways. Click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement.

b

The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.

SC-5 - Medium - CCI-002385 - V-251754 - SV-251754r856695_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

T0RT-3X-000065

Vuln IDs

V-251754

Rule IDs

SV-251754r856695_rule

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.

Checks: C-55191r810144_chk

If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP mask replies. If a rule does not exist to drop ICMP mask replies, this is a finding.

Fix: F-55145r810145_fix

To configure a shared rule to drop ICMP unreachable messages do the following: From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (Add a policy first if needed), under "Services" select the custom service that identifies ICMP mask replies, and then click "Apply". Enable logging, under the "Applied To" field select the target Tier-0 Gateways, and then click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement. Note: A pre-created service for ICMP mask replies does not exist by default and may need to be created.

b

The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.

SC-5 - Medium - CCI-002385 - V-251755 - SV-251755r856696_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

T0RT-3X-000066

Vuln IDs

V-251755

Rule IDs

SV-251755r856696_rule

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Redirect ICMP messages are commonly used by attackers for network mapping and diagnosis.

Checks: C-55192r810147_chk

If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewalls rules to verify one exists to drop ICMP redirects. If a rule does not exist to drop ICMP redirects, this is a finding.

Fix: F-55146r810148_fix

To configure a shared rule to drop ICMP unreachable messages do the following: From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (Add a policy first if needed), under services select "ICMP Redirect", and then click "Apply". Enable logging, under the "Applied To" field select the target Tier-0 Gateways, and then click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement.

b

The NSX-T Tier-0 Gateway must be configured to use the BGP maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.

SC-5 - Medium - CCI-002385 - V-251756 - SV-251756r856697_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

T0RT-3X-000067

Vuln IDs

V-251756

Rule IDs

SV-251756r856697_rule

The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements. In 1997, misconfigured routers in the Florida Internet Exchange network (AS7007) de-aggregated every prefix in their routing table and started advertising the first /24 block of each of these prefixes as their own. Faced with this additional burden, the internal routers became overloaded and crashed repeatedly. This caused prefixes advertised by these routers to disappear from routing tables and reappear when the routers came back online. As the routers came back after crashing, they were flooded with the routing table information by their neighbors. The flood of information would again overwhelm the routers and cause them to crash. This process of route flapping served to destabilize not only the surrounding network but also the entire internet. Routers trying to reach those addresses would choose the smaller, more specific /24 blocks first. This caused backbone networks throughout North America and Europe to crash. Maximum prefix limits on peer connections combined with aggressive prefix-size filtering of customers' reachability advertisements will effectively mitigate the de-aggregation risk. BGP maximum prefix must be used on all eBGP routers to limit the number of prefixes that it should receive from a particular neighbor, whether customer or peering AS. Consider each neighbor and how many routes they should be advertising and set a threshold slightly higher than the number expected.

Checks: C-55193r810150_chk

If the Tier-0 Gateway is not using BGP, this is Not Applicable. From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways. For every Tier-0 Gateway with BGP enabled, expand the Tier-0 Gateway. Expand BGP, click on the number next to BGP Neighbors, and then view the Router Filters for each neighbor. If Maximum Routes is not configured or a route filter does not exist for each BGP neighbor, this is a finding.

Fix: F-55147r810151_fix

To set maximum prefixes for BGP neighbors do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand BGP. Next to BGP Neighbors, click on the number present to open the dialog, and then select "Edit" on the target BGP Neighbor. Click "Router Filter", add or edit an existing router filter, enter a number for Maximum Routes, and then click "Add". Click "Apply", then click "Save" to finish the configuration.

a

The NSX-T Tier-0 Gateway must be configured to use its loopback address as the source address for iBGP peering sessions.

CM-6 - Low - CCI-000366 - V-251757 - SV-251757r810155_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

T0RT-3X-000084

Vuln IDs

V-251757

Rule IDs

SV-251757r810155_rule

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of the BGP routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the numerous physical interface addresses. When the loopback address is used as the source for eBGP peering, the BGP session will be harder to hijack since the source address to be used is not known globally—making it more difficult for a hacker to spoof an eBGP neighbor. By using traceroute, a hacker can easily determine the addresses for an eBGP speaker when the IP address of an external interface is used as the source address. The routers within the iBGP domain should also use loopback addresses as the source address when establishing BGP sessions.

Checks: C-55194r810153_chk

If the Tier-0 Gateway is not using iBGP, this is Not Applicable. From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways. For every Tier-0 Gateway with BGP enabled, expand the Tier-0 Gateway. Expand BGP, click on the number next to BGP Neighbors, then view the source address for each neighbor. If the Source Address is not configured as the NSX-T Tier-0 Gateway loopback address for the iBGP session, this is a finding.

Fix: F-55148r810154_fix

To configure a loopback interface do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand interfaces and click "Add Interface". Enter a name, select "Loopback" as the Type, enter an IP address, select an Edge Node for the interface, and then click "Save". Note: More than one loopback may need to be configured depending on the routing architecture. To set the source address for BGP neighbors do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways >> expand the target Tier-0 gateway. Expand BGP >> next to BGP Neighbors click on the number present to open the dialog >> select Edit on the target BGP Neighbor. Under Source Addresses configure the source address with the loopback address and click Save.

a

The NSX-T Tier-0 Gateway must be configured to have routing protocols disabled if not in use.

CM-7 - Low - CCI-000381 - V-251758 - SV-251758r810158_rule

RMF Control

CM-7

Severity

L

CCI

CCI-000381

Version

T0RT-3X-000095

Vuln IDs

V-251758

Rule IDs

SV-251758r810158_rule

A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.

Checks: C-55195r810156_chk

From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway to view if BGP or OSPF is enabled. If BGP and/or OSPF is enabled and not in use, this is a finding.

Fix: F-55149r810157_fix

To disable BGP do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways and edit the target Tier-0 Gateway. Expand BGP, change from "On" to "Off", and then click "Save". To disable OSPF do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways and edit the target Tier-0 Gateway. Expand OSPF, change from "Enabled" to "Disabled", and then click "Save".

a

The NSX-T Tier-0 Gateway must be configured to have multicast disabled if not in use.

CM-7 - Low - CCI-000381 - V-251759 - SV-251759r810161_rule

RMF Control

CM-7

Severity

L

CCI

CCI-000381

Version

T0RT-3X-000096

Vuln IDs

V-251759

Rule IDs

SV-251759r810161_rule

A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.

Checks: C-55196r810159_chk

From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway, then expand Multicast to view the Multicast configuration. If Multicast is enabled and not in use, this is a finding.

Fix: F-55150r810160_fix

To disable Multicast do the following: From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways and edit the target Tier-0 Gateway. Expand Multicast, change from "Enabled" to "Disabled", and then click "Save".

Checks: C-55181r810114_chk

Fix: F-55135r810115_fix

Generate Mitigation Statement:

Checks: C-55182r810117_chk

Fix: F-55136r810118_fix

Generate Mitigation Statement:

Checks: C-55183r810120_chk

Fix: F-55137r810121_fix

Generate Mitigation Statement:

Checks: C-55184r810123_chk

Fix: F-55138r810124_fix

Generate Mitigation Statement:

Checks: C-55185r810126_chk

Fix: F-55139r810127_fix

Generate Mitigation Statement:

Checks: C-55186r810129_chk

Fix: F-55140r810130_fix

Generate Mitigation Statement:

Checks: C-55187r810132_chk

Fix: F-55141r810133_fix

Generate Mitigation Statement:

Checks: C-55188r810135_chk

Fix: F-55142r810136_fix

Generate Mitigation Statement:

Checks: C-55189r810138_chk

Fix: F-55143r810139_fix

Generate Mitigation Statement:

Checks: C-55190r810141_chk

Fix: F-55144r810142_fix

Generate Mitigation Statement:

Checks: C-55191r810144_chk

Fix: F-55145r810145_fix

Generate Mitigation Statement:

Checks: C-55192r810147_chk

Fix: F-55146r810148_fix

Generate Mitigation Statement:

Checks: C-55193r810150_chk

Fix: F-55147r810151_fix

Generate Mitigation Statement:

Checks: C-55194r810153_chk

Fix: F-55148r810154_fix

Generate Mitigation Statement:

Checks: C-55195r810156_chk

Fix: F-55149r810157_fix

Generate Mitigation Statement:

Checks: C-55196r810159_chk

Fix: F-55150r810160_fix

Generate Mitigation Statement: