Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

VMware NSX-T Tier 1 Gateway Firewall Security Technical Implementation Guide

V1R3 · · · Released 26 Jul 2023 · 9 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Supporting documents DISA companion ZIP · 4.2 MB 5 PDFs

Bundled by DISA alongside this STIG release: overview, revision history, and readme files. Download the full archive or open an individual PDF.

Download full ZIP U_VMW_NSX-T_Y23M07_STIG.zip
Digest of Updates vs. V1R2 · 02 Sep 2022 −1 ✎ 3

Comparison against the immediately-prior release (V1R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Removed rules 1

  • V-251760 High The NSX-T Tier-1 Gateway Firewall must not have any unpublished firewall policies or rules.

Content changes 3

  • V-251762 Low descriptioncheckfix The NSX-T Tier-1 Gateway Firewall must generate traffic log entries containing information to establish the details of the event.
  • V-251763 Medium descriptioncheck Each NSX-T Edge Node configured to host a Tier-1 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure traffic log records.
  • V-251764 Medium checkfix The NSX-T Tier-1 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
Sort by
b
The NSX-T Tier-1 Gateway Firewall must generate traffic log entries containing information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-251761 - SV-251761r810178_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
T1FW-3X-000005
Vuln IDs
  • V-251761
Rule IDs
  • SV-251761r810178_rule
Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit event content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the network element logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element.
Checks: C-55198r810176_chk

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. For each Tier-1 Gateway and for each rule, click the gear icon and verify the Logging setting. If Logging is not "Enabled", this is a finding.

Fix: F-55152r810177_fix

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. For each Tier-1 Gateway and for each rule with logging disabled, click the gear icon and enable Logging, then click "Apply". After all changes are made, click "Publish".

a
The NSX-T Tier-1 Gateway Firewall must generate traffic log entries containing information to establish the details of the event.
AU-3 - Low - CCI-000131 - V-251762 - SV-251762r919235_rule
RMF Control
AU-3
Severity
L
CCI
CCI-000131
Version
T1FW-3X-000006
Vuln IDs
  • V-251762
Rule IDs
  • SV-251762r919235_rule
Without sufficient information to analyze the event, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit event content that must be included to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. The firewall must also generate traffic log records when traffic is denied, restricted, or discarded as well as when attempts are made to send packets between security zones that are not authorized to communicate. Satisfies: SRG-NET-000075-FW-000010, SRG-NET-000076-FW-000011, SRG-NET-000077-FW-000012, SRG-NET-000078-FW-000013, SRG-NET-000399-FW-000008, SRG-NET-000492-FW-000006, SRG-NET-000493-FW-000007
Checks: C-55199r919233_chk

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. For each Tier-1 Gateway and for each rule, click the gear icon and verify the Logging setting. If Logging is not "Enabled", this is a finding.

Fix: F-55153r919234_fix

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. For each Tier-1 Gateway and for each rule with logging disabled, click the gear icon and enable Logging and then click "Apply". After all changes are made, click "Publish".

b
Each NSX-T Edge Node configured to host a Tier-1 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure traffic log records.
AU-5 - Medium - CCI-000140 - V-251763 - SV-251763r919237_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000140
Version
T1FW-3X-000011
Vuln IDs
  • V-251763
Rule IDs
  • SV-251763r919237_rule
It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure, secure collected log data, and restrict access to authorized personnel. Methods of protection may include encryption or logical separation. In accordance with DOD policy, the traffic log must be sent to a central audit server. This does not apply to traffic logs generated on behalf of the device itself (management). Some devices store traffic logs separately from the system logs. Satisfies: SRG-NET-000089-FW-000019, SRG-NET-000098-FW-000021
Checks: C-55200r919236_chk

From an NSX-T Edge Node shell hosting the Tier-1 Gateway, run the following command(s): > get logging-servers If any configured logging-servers are not configured with protocol of "li-tls" or "tls" and level of "info", this is a finding. If no logging-servers are configured, this is a finding. Note: This check must be run from each NSX-T Edge Node hosting the Tier-1 Gateway, as they are configured individually.

Fix: F-55154r810183_fix

(Optional) From an NSX-T Edge Gateway shell, run the following command(s) to clear any existing incorrect logging-servers: > clear logging-servers From an NSX-T Edge Node shell, run the following command(s) to configure a tls syslog server: > set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem From an NSX-T Edge Node shell, run the following command(s) to configure a li-tls syslog server: > set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /var/vmware/nsx/file-store/ on each NSX-T Edge Gateway appliance.

b
The NSX-T Tier-1 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
SC-5 - Medium - CCI-001094 - V-251764 - SV-251764r919240_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
T1FW-3X-000019
Vuln IDs
  • V-251764
Rule IDs
  • SV-251764r919240_rule
DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of a firewall at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. The firewall must include protection against DoS attacks that originate from inside the enclave that can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave. These attacks can be simple "floods" of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or a configuration issue that disables or impairs the proper function of a device. For example, an accidental or deliberate misconfiguration of a routing table can misdirect traffic for multiple networks. Satisfies: SRG-NET-000192-FW-000029, SRG-NET-000193-FW-000030
Checks: C-55201r919238_chk

From the NSX-T Manager web interface, go to Security &gt;&gt; General Settings &gt;&gt; Firewall &gt;&gt; Flood Protection to view Flood Protection profiles. If there are no Flood Protection profiles of type "Gateway", this is a finding. For each gateway flood protection profile, verify the TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit are set to "None". If they are not, this is a finding. For each gateway flood protection profile, examine the "Applied To" field to view the Tier-1 Gateways to which it is applied. If a gateway flood protection profile is not applied to all Tier-1 Gateways through one or more policies, this is a finding.

Fix: F-55155r919239_fix

To create a new Flood Protection profile, do the following: From the NSX-T Manager web interface, go to Security >> General Settings >> Firewall >> Flood Protection >> Add Profile >> Add Firewall Profile. Enter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit. Configure the "Applied To" field to contain Tier-1 Gateways and then click "Save".

b
The NSX-T Tier-1 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
SC-7 - Medium - CCI-001109 - V-251765 - SV-251765r810190_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001109
Version
T1FW-3X-000021
Vuln IDs
  • V-251765
Rule IDs
  • SV-251765r810190_rule
To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. This configuration which is in the Manager function of the NSX-T implementation also helps prevent the firewall instance from failing to a state that may cause unauthorized access to make changes to the firewall filtering functions. As a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The allow filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA). Satisfies: SRG-NET-000235-FW-000133, SRG-NET-000236-FW-000027
Checks: C-55202r810188_chk

From the NSX-T Manager web interface, go to Security &gt;&gt; Gateway Firewall &gt;&gt; Gateway Specific Rules &gt;&gt; Choose each Tier-1 Gateway in drop-down &gt;&gt; Policy_Default_Infra Section &gt;&gt; Action. If the default_rule is set to Allow, this is a finding.

Fix: F-55156r810189_fix

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules >> Choose each Tier-1 Gateway in drop-down >> Policy_Default_Infra Section >> Action >> change the Action to Drop or Reject and click Publish.

b
The NSX-T Tier-1 Gateway Firewall must be configured to send traffic log entries to a central audit server for management and configuration of the traffic log entries.
AU-3 - Medium - CCI-001844 - V-251766 - SV-251766r863248_rule
RMF Control
AU-3
Severity
M
CCI
CCI-001844
Version
T1FW-3X-000026
Vuln IDs
  • V-251766
Rule IDs
  • SV-251766r863248_rule
Without the ability to centrally manage the content captured in the traffic log entries, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The DoD requires centralized management of all network component audit record content. Network components requiring centralized traffic log management must have the ability to support centralized management. The content captured in traffic log entries must be managed from a central location (necessitating automation). Centralized management of traffic log records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Ensure at least one syslog server is configured on the firewall. If the product inherently has the ability to store log records locally, the local log must also be secured. However, this requirement is not met since it calls for a use of a central audit server.
Checks: C-55203r810191_chk

Note: This check must be run from each NSX-T Edge Node hosting the Tier-1 Gateway, as they are configured individually. From an NSX-T Edge Node shell hosting the Tier-1 Gateway, run the following command(s): &gt; get logging-servers If any configured logging-servers are not configured with protocol of "li-tls" or "tls" and level of "info", this is a finding. If no logging-servers are configured, this is a finding.

Fix: F-55157r810192_fix

(Optional) From an NSX-T Edge Gateway shell, run the following command(s) to clear any existing incorrect logging-servers: > clear logging-servers From an NSX-T Edge Node shell, run the following command(s) to configure a tls syslog server: > set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem From an NSX-T Edge Node shell, run the following command(s) to configure a li-tls syslog server: > set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt Note: Configure the syslog or SNMP server to send an alert if the events server is unable to receive events from the NSX-T and also if DoS incidents are detected. This is true if the events server is STIG compliant. Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /var/vmware/nsx/file-store/ on each NSX-T Edge Gateway appliance.

b
The NSX-T Tier-1 Gateway Firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
SC-5 - Medium - CCI-002385 - V-251767 - SV-251767r856686_rule
RMF Control
SC-5
Severity
M
CCI
CCI-002385
Version
T1FW-3X-000028
Vuln IDs
  • V-251767
Rule IDs
  • SV-251767r856686_rule
Not configuring a key boundary security protection device such as the firewall, against commonly known attacks is an immediate threat to the protected enclave because they are easily implemented by those with little skill. Directions for the attack are obtainable on the internet and in hacker groups. Without filtering enabled for these attacks, the firewall will allow these attacks beyond the protected boundary. Configure the perimeter and internal boundary firewall to guard against the three general methods of well-known DoS attacks: flooding attacks, protocol sweeping attacks, and unauthorized port scanning. Flood attacks occur when the host receives too much traffic to buffer and slows down or crashes. Popular flood attacks include ICMP flood and SYN flood. A TCP flood attack of SYN packets initiating connection requests can overwhelm the device until it can no longer process legitimate connection requests, resulting in denial of service. An ICMP flood can overload the device with so many echo requests (ping requests) that it expends all its resources responding and can no longer process valid network traffic, also resulting in denial of service. An attacker might use session table floods and SYN-ACK-ACK proxy floods to fill up the session table of a host. In an IP address sweep attack, an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, the reply reveals the target’s IP address to the attacker. In a TCP sweep attack, an attacker sends TCP SYN packets to the target device as part of the TCP handshake. If the device responds to those packets, the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack. In a UDP sweep attack, an attacker sends UDP packets to the target device. If the device responds to those packets, the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack. In a port scanning attack, an unauthorized application is used to scan the host devices for available services and open ports for subsequent use in an attack. This type of scanning can be used as a DoS attack when the probing packets are sent excessively.
Checks: C-55204r810194_chk

From the NSX-T Manager web interface, go to Security &gt;&gt; Security Profiles &gt;&gt; Flood Protection to view Flood Protection profiles. If there are no Flood Protection profiles of type "Gateway", this is a finding. For each gateway flood protection profile, verify the TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit are set to "not set" or SYN Cache and RST Spoofing is not Enabled on a profile, this is a finding. For each gateway flood protection profile, examine the Applied To field to view the Tier-1 Gateways to which it is applied. If a gateway flood protection profile is not applied to all Tier-1 Gateways through one or more policies, this is a finding.

Fix: F-55158r810195_fix

To create a new Flood Protection profile do the following: From the NSX-T Manager web interface, go to Security >> Security Profiles >> Flood Protection >> Add Profile >> Add Firewall Profile. Enter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit. Enable SYN Cache and RST Spoofing, configure the Applied To field that contains Tier-1 Gateways, and then click "Save".

b
The NSX-T Tier-1 Gateway Firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.
SC-7 - Medium - CCI-002403 - V-251768 - SV-251768r856687_rule
RMF Control
SC-7
Severity
M
CCI
CCI-002403
Version
T1FW-3X-000030
Vuln IDs
  • V-251768
Rule IDs
  • SV-251768r856687_rule
Unrestricted traffic to the trusted networks may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Firewall filters control the flow of network traffic and ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated.
Checks: C-55205r810197_chk

From the NSX-T Manager web interface, go to Security &gt;&gt; Gateway Firewall &gt;&gt; Gateway Specific Rules. Choose each Tier-1 Gateway in the drop-down and review the firewall rules "Applied To" field to verify no rules are selectively applied to interfaces instead of the Gateway Firewall entity. If any Gateway Firewall rules are applied to individual interfaces, this is a finding.

Fix: F-55159r810198_fix

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and choose the target Tier-1 Gateway from the drop-down. For any rules that have individual interfaces specified in the "Applied To" field, click "Edit" on the "Applied To" column and remove the interfaces selected, leaving only the Tier-1 Gateway object type checked. Click "Publish" to save any rule changes.

b
The NSX-T Tier-1 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.
SI-4 - Medium - CCI-002664 - V-251769 - SV-251769r856688_rule
RMF Control
SI-4
Severity
M
CCI
CCI-002664
Version
T1FW-3X-000036
Vuln IDs
  • V-251769
Rule IDs
  • SV-251769r856688_rule
If outbound communications traffic is not filtered, hostile activity intended to harm other networks may not be detected and prevented.
Checks: C-55206r810200_chk

From the NSX-T Manager web interface, go to Networking &gt;&gt; Segments, and for each Segment, view Segment Profiles &gt;&gt; SpoofGuard. If a Segment is not configured with a SpoofGuard profile that has Port Binding enabled, this is a finding.

Fix: F-55160r810201_fix

To create a segment profile with SpoofGuard enabled do the following: From the NSX-T Manager web interface, go to Networking >> Segments >> Segment Profiles >> Add Segment Profile >> SpoofGuard. Enter a profile name and enable port bindings, then click "Save". To update a Segment's SpoofGuard profile, do the following: From the NSX-T Manager web interface, go to the Networking >> Segments, then click "Edit" from the drop-down menu next to the target Segment. Expand Segment Profiles, choose the new SpoofGuard profile from the drop-down list, and then click "Save".