VMware NSX-T Tier 1 Gateway RTR Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2022-03-09
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
c
The NSX-T Tier-1 Gateway must be configured to have all inactive interfaces removed.
AC-4 - High - CCI-001414 - V-251770 - SV-251770r810210_rule
RMF Control
AC-4
Severity
High
CCI
CCI-001414
Version
T1RT-3X-000016
Vuln IDs
  • V-251770
Rule IDs
  • SV-251770r810210_rule
An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. If an interface is no longer used, the configuration must be deleted.
Checks: C-55207r810208_chk

From the NSX-T Manager web interface, go to Networking >> Tier-1 Gateways. For every Tier-1 Gateway, expand the Tier-1 Gateway. Click on the number in the Linked Segments to review the currently linked segments. For every Tier-1 Gateway, expand the Tier-1 Gateway. Expand Service Interfaces, then click on the number to review the Service Interfaces. Review each interface or linked segment present to determine if they are not in use or inactive. If there are any linked segments or service interfaces present on a Tier-1 Gateway that are not in use or inactive, this is a finding.

Fix: F-55161r810209_fix

To remove a stale linked segment from a Tier-1 Gateway, do the following: From the NSX-T Manager web interface, go to Networking >> Segments and edit the target segment. Under Connected Gateway, change to "None" and click "Save". Note: The stale linked segment can also be deleted if there are no active workloads attached to it. To remove a stale service interface from a Tier-1 Gateway, do the following: From the NSX-T Manager web interface, go to Networking >> Tier-1 Gateways >> Edit the target Tier-1 Gateway. Expand Service Interfaces >> click on the number to view the Service Interfaces. On the stale service interface, select "Delete" and click "Delete" again to confirm.

a
The NSX-T Tier-1 Gateway must be configured to have the DHCP service disabled if not in use.
CM-7 - Low - CCI-000381 - V-251771 - SV-251771r810213_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
T1RT-3X-000027
Vuln IDs
  • V-251771
Rule IDs
  • SV-251771r810213_rule
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.
Checks: C-55208r810211_chk

From the NSX-T Manager web interface, go to Networking >> Tier-1 Gateways. For every Tier-1 Gateway expand the Tier-1 Gateway to view the DHCP configuration. If a DHCP profile is configured and not in use, this is a finding.

Fix: F-55162r810212_fix

From the NSX-T Manager web interface, go to Networking >> Tier-1 Gateways and edit the target Tier-1 Gateway. Click "Set DHCP Configuration", select "No Dynamic IP Address Allocation", click "Save", and then close "Editing".

b
The NSX-T Tier-1 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
SC-5 - Medium - CCI-001095 - V-251772 - SV-251772r810216_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
T1RT-3X-000034
Vuln IDs
  • V-251772
Rule IDs
  • SV-251772r810216_rule
DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).
Checks: C-55209r810214_chk

From the NSX-T Manager web interface, go to Networking >> Segments. For every Segment connected to a Tier-1 Gateway, Expand Segment >> Expand Segment Profiles >> Record QOS Segment Profile. Go to Segment Profiles >> Expand QOS Segment Profile recorded in previous steps. If there are traffic priorities specified by the Combatant Commands/Services/Agencies needed to ensure sufficient capacity for mission-critical traffic and none are configured, this is a finding.

Fix: F-55163r810215_fix

To create a segment QoS profile, do the following: From the NSX-T Manager web interface, go to Networking >> Segments >> Segment Profiles. Click "Add Segment Profile" and select "QoS". Configure a profile name and QoS settings as needed and click "Save". To apply a QoS profile to a segment do the following: From the NSX-T Manager web interface, go to Networking >> Segments and edit the target segment. Expand Segment Profiles and under QoS select the profile previously created and "Save".

a
The NSX-T Tier-1 Gateway must be configured to have multicast disabled if not in use.
CM-7 - Low - CCI-000381 - V-251773 - SV-251773r810219_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
T1RT-3X-000084
Vuln IDs
  • V-251773
Rule IDs
  • SV-251773r810219_rule
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.
Checks: C-55210r810217_chk

From the NSX-T Manager web interface, go to Networking >> Tier-1 Gateways. For every Tier-1 Gateway, expand the Tier-1 Gateway then expand Multicast to view the Multicast configuration. If Multicast is enabled and not in use, this is a finding.

Fix: F-55164r810218_fix

To disable Multicast do the following: From the NSX-T Manager web interface, go to Networking >> Tier-1 Gateways and edit the target Tier-1 Gateway. Expand Multicast and change from "Enabled" to "Disabled" and then click "Save".