View STIG - VMware NSX 4.x Manager NDM Security Technical Implementation Guide V1R1

b

The NSX Manager must configure logging levels for services to ensure audit records are generated.

AC-2 - Medium - CCI-001403 - V-263202 - SV-263202r977373_rule

RMF Control

AC-2

Severity

Medium

CCI

CCI-001403

Version

NMGR-4X-000007

Vuln IDs

V-263202

Rule IDs

SV-263202r977373_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).

Checks: C-67102r977371_chk

From an NSX Manager shell, run the following commands: > get service async_replicator | find Logging > get service auth | find Logging > get service http | find Logging > get service manager | find Logging > get service telemetry | find Logging Expected result: Logging level: info If any service listed does not have logging level configured to "info", this is a finding.

Fix: F-67010r977372_fix

From an NSX Manager shell, run the following commands: > set service async_replicator logging-level info > set service auth logging-level info > set service http logging-level info > set service manager logging-level info > set service telemetry logging-level info

c

The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.

AC-3 - High - CCI-000213 - V-263203 - SV-263203r977376_rule

RMF Control

AC-3

Severity

High

CCI

CCI-000213

Version

NMGR-4X-000010

Vuln IDs

V-263203

Rule IDs

SV-263203r977376_rule

The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. Users must be assigned to roles which are configured with approved authorizations and access permissions. The NSX Manager must be configured granularly based on organization requirements to only allow authorized administrators to execute privileged functions. Role assignments should control which administrators can view or change the device configuration, system files, and locally stored audit information.

Checks: C-67103r977374_chk

From the NSX Manager web interface, go to System >> Settings >> User Management >> User Role Assignment. View each user and group and verify the role assigned has authorization limits as appropriate to the role and in accordance with the site's documentation. If any user/group or service account are assigned to roles with privileges that are beyond those required and authorized by the organization, this is a finding.

Fix: F-67011r977375_fix

To create a new role with reduced permissions, do the following: From the NSX Manager web interface, go to System >> Settings >> User Management >> Roles. Click "Add Role", provide a name and the required permissions, and then click "Save". To update user or group permissions to an existing role with reduced permissions, do the following: From the NSX Manager web interface, go to System >> User Management >> User Role Assignment. Click the menu dropdown next to the target user or group and select "Edit". Remove the existing role, select the new one, and then click "Save".

b

The NSX Manager must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.

AC-7 - Medium - CCI-000044 - V-263204 - SV-263204r977379_rule

RMF Control

AC-7

Severity

Medium

CCI

CCI-000044

Version

NMGR-4X-000012

Vuln IDs

V-263204

Rule IDs

SV-263204r977379_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

Checks: C-67104r977377_chk

From an NSX Manager shell, run the following commands: > get auth-policy api lockout-reset-period Expected result: 900 seconds If the output does not match the expected result, this is a finding. > get auth-policy api lockout-period Expected result: 900 seconds If the output does not match the expected result, this is a finding. > get auth-policy api max-auth-failures Expected result: 3 If the output does not match the expected result, this is a finding. > get auth-policy cli lockout-period Expected result: 900 seconds If the output does not match the expected result, this is a finding. > get auth-policy cli max-auth-failures Expected result: 3 If the output does not match the expected result, this is a finding.

Fix: F-67012r977378_fix

From an NSX Manager shell, run the following commands: > set auth-policy api lockout-reset-period 900 > set auth-policy api lockout-period 900 > set auth-policy api max-auth-failures 3 > set auth-policy cli lockout-period 900 > set auth-policy cli max-auth-failures 3

b

The NSX Manager must display the Standard Mandatory DOD Notice and Consent Banner before granting access.

AC-8 - Medium - CCI-000048 - V-263205 - SV-263205r977382_rule

RMF Control

AC-8

Severity

Medium

CCI

CCI-000048

Version

NMGR-4X-000013

Vuln IDs

V-263205

Rule IDs

SV-263205r977382_rule

Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.

Checks: C-67105r977380_chk

Determine if the network device is configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060. From the NSX Manager web interface, go to System >> Settings >> General Settings >> User Interface. Review the Login Consent Settings. If the "Consent Message Description" does not contain the Standard Mandatory DOD Notice and Consent Banner verbiage, this is a finding. The Standard Mandatory DOD Notice and Consent Banner verbiage is as follows: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Fix: F-67013r977381_fix

From the NSX Manager web interface, go to System >> Settings >> General Settings >> User Interface. Under Login Consent Settings click "Edit". Enter the banner language in the "Consent Message Description" text box, formatted in accordance with DTM-08-060, and click "Save". "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

b

The NSX Manager must retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.

AC-8 - Medium - CCI-000050 - V-263206 - SV-263206r977385_rule

RMF Control

AC-8

Severity

Medium

CCI

CCI-000050

Version

NMGR-4X-000014

Vuln IDs

V-263206

Rule IDs

SV-263206r977385_rule

The banner must be acknowledged by the administrator prior to the device allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DOD will not be in compliance with system use notifications required by law. To establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement. In the case of CLI access using a terminal client, entering the username and password when the banner is presented is considered an explicit action of acknowledgement. Entering the username, viewing the banner, then entering the password is also acceptable.

Checks: C-67106r977383_chk

From the NSX Manager web interface, go to System >> Settings >> General Settings >> User Interface. Review the Login Consent Settings. Verify "Login Consent" is not On. Verify "Require Explicit User Consent" is set to Yes. If the Standard Mandatory DOD Notice and Consent Banner is not retained on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access, this is a finding.

Fix: F-67014r977384_fix

From the NSX Manager web interface, go to System >> Settings >> General Settings >> User Interface. Under Login Consent Settings, click "Edit". Toggle "Login Consent" to On. Toggle "Require Explicit User Consent" to Yes. Note: The banner text is also entered; however, that is covered by NMGR-4X-000013.

c

The NSX Manager must be configured to integrate with an identity provider that supports multifactor authentication (MFA).

AU-10 - High - CCI-000166 - V-263207 - SV-263207r977388_rule

RMF Control

AU-10

Severity

High

CCI

CCI-000166

Version

NMGR-4X-000015

Vuln IDs

V-263207

Rule IDs

SV-263207r977388_rule

Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. This requirement also supports nonrepudiation of actions taken by an administrator. This requirement ensures the NSX Manager is configured to use a centralized authentication services to authenticate users prior to granting administrative access. As of NSX 4.1 and vCenter 8.0 Update 2, NSX Manager administrator access can also be configured by connecting VMware NSX to the Workspace ONE Access Broker in VMware vCenter for federated identity. Refer to the NSX product documentation to configure this access option.

Checks: C-67107r977386_chk

From the NSX Manager web interface, go to System >> Settings >> Users Management >> Authentication Providers. Verify that the "VMware Identity Manager" and "OpenID Connect" tabs are configured. If NSX is not configured to integrate with an identity provider that supports MFA, this is a finding.

Fix: F-67015r977387_fix

To configure NSX to integrate with VMware Identity Manager or Workspace ONE Access, as the authentication source, do the following: From the NSX Manager web interface, go to System >> Users and Roles >> VMware Identity Manager and click "Edit". If using an external load balancer for the NSX Management cluster, enable "External Load Balancer Integration". If using a cluster VIP, leave this disabled. Click the toggle button to enable "VMware Identity Manager Integration". Enter the VMware Identity Manager or Workspace ONE Access appliance name, OAuth Client ID, OAuth Client Secret, and certificate thumbprint as provided by the administrators. Enter the NSX Appliance FQDN. For a cluster, enter the load balancer FQDN or cluster VIP FQDN. Click "Save", import users and groups, and then assign them roles. (The users are not actually local and remain in the authentication/AAA server.) Note: As of NSX 4.1 and vCenter 8.0 Update 2, NSX Manager administrator access can also be configured by connecting VMware NSX to the Workspace ONE Access Broker in VMware vCenter for federated identity. Refer to the NSX product documentation to configure this access option. Ensure the identity provider administrators have configured the provider to support multi-factor authentication.

b

The NSX Manager must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.

AC-2 - Medium - CCI-001358 - V-263208 - SV-263208r977391_rule

RMF Control

AC-2

Severity

Medium

CCI

CCI-001358

Version

NMGR-4X-000035

Vuln IDs

V-263208

Rule IDs

SV-263208r977391_rule

Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.

Checks: C-67108r977389_chk

From the NSX Manager web interface, go to the System >> Settings >> User Management >> Local Users and view the status column. If any local account other than the account of last resort are active, this is a finding.

Fix: F-67016r977390_fix

From the NSX Manager web interface, go to the System >> Settings >> User Management >> Local Users. Select the menu drop down next to any local user on the list except for the "admin" account. Click modify and click "Deactivate User".

c

The NSX Manager must only enable TLS 1.2 or greater.

IA-2 - High - CCI-001941 - V-263209 - SV-263209r977394_rule

RMF Control

IA-2

Severity

High

CCI

CCI-001941

Version

NMGR-4X-000038

Vuln IDs

V-263209

Rule IDs

SV-263209r977394_rule

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. Configuration of TLS on the NSX also ensures that passwords are not transmitted in the clear. TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 or greater must be enabled on all interfaces and TLS 1.1 and 1.0 disabled where supported.

Checks: C-67109r977392_chk

Viewing TLS protocol enablement must be done via the API. Execute the following API call using curl or another REST API client: GET https://<nsx-mgr>/api/v1/cluster/api-service Example result: "protocol_versions": [ { "name": "TLSv1.1", "enabled": false }, { "name": "TLSv1.2", "enabled": true }, { "name": "TLSv1.3", "enabled": true } ] If TLS 1.1 is enabled, this is a finding.

Fix: F-67017r977393_fix

Capture the output from the check GET command and update the TLS 1.1 protocol to false. Run the following API call using curl or another REST API client: PUT https://<nsx-mgr>/api/v1/cluster/api-service Example request body: { "session_timeout": 1800, "connection_timeout": 30, "protocol_versions": [ { "name": "TLSv1.1", "enabled": false }, { "name": "TLSv1.2", "enabled": true }, { "name": "TLSv1.3", "enabled": true } ], "cipher_suites": [ { "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_RSA_WITH_AES_128_CBC_SHA", "enabled": true }, { "name": "TLS_RSA_WITH_AES_128_CBC_SHA256", "enabled": true }, { "name": "TLS_RSA_WITH_AES_128_GCM_SHA256", "enabled": true }, { "name": "TLS_RSA_WITH_AES_256_CBC_SHA", "enabled": true }, { "name": "TLS_RSA_WITH_AES_256_CBC_SHA256", "enabled": true }, { "name": "TLS_RSA_WITH_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_AES_128_GCM_SHA256", "enabled": true }, { "name": "TLS_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_CHACHA20_POLY1305_SHA256", "enabled": true } ], "redirect_host": "", "client_api_rate_limit": 100, "global_api_concurrency_limit": 199, "client_api_concurrency_limit": 40, "basic_authentication_enabled": true, "cookie_based_authentication_enabled": true, "resource_type": "ApiServiceConfig", "id": "reverse_proxy_config", "display_name": "reverse_proxy_config", "_create_time": 1703175890703, "_create_user": "system", "_last_modified_time": 1703175890703, "_last_modified_user": "system", "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Note: Changes are applied to all nodes in the cluster. The API service on each node will restart after it is updated using this API. There may be a delay of up to a minute or so between the time this API call completes and when the new configuration goes into effect.

b

The NSX Manager must enforce a minimum 15-character password length for local accounts.

IA-5 - Medium - CCI-000205 - V-263210 - SV-263210r977397_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000205

Version

NMGR-4X-000039

Vuln IDs

V-263210

Rule IDs

SV-263210r977397_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-67110r977395_chk

From an NSX Manager shell, run the following command: > get password-complexity If the minimum password length is not 15 or greater, this is a finding.

Fix: F-67018r977396_fix

From an NSX Manager shell, run the following command: > set password-complexity minimum-password-length 15

b

The NSX Manager must enforce password complexity by requiring that at least one uppercase character be used for local accounts.

IA-5 - Medium - CCI-000192 - V-263211 - SV-263211r977400_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000192

Version

NMGR-4X-000040

Vuln IDs

V-263211

Rule IDs

SV-263211r977400_rule

Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using public key infrastructure (PKI) is not available, and for the account of last resort and root account.

Checks: C-67111r977398_chk

From an NSX Manager shell, run the following command: > get password-complexity If the minimum uppercase characters is not 1 or more, this is a finding. Note: If a maximum number of uppercase characters has been configured a minimum will not be shown.

Fix: F-67019r977399_fix

From an NSX Manager shell, run the following command: > set password-complexity upper-chars -1 Note: Negative numbers indicate a minimum number of characters.

b

The NSX Manager must enforce password complexity by requiring that at least one lowercase character be used for local accounts.

IA-5 - Medium - CCI-000193 - V-263212 - SV-263212r977403_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000193

Version

NMGR-4X-000041

Vuln IDs

V-263212

Rule IDs

SV-263212r977403_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-67112r977401_chk

From an NSX Manager shell, run the following command: > get password-complexity If the minimum lowercase characters is not 1 or more, this is a finding. Note: If a maximum number of lowercase characters has been configured, a minimum will not be shown.

Fix: F-67020r977402_fix

From an NSX Manager shell, run the following command: > set password-complexity lower-chars -1 Note: Negative numbers indicate a minimum number of characters.

b

The NSX Manager must enforce password complexity by requiring that at least one numeric character be used for local accounts.

IA-5 - Medium - CCI-000194 - V-263213 - SV-263213r977406_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000194

Version

NMGR-4X-000042

Vuln IDs

V-263213

Rule IDs

SV-263213r977406_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-67113r977404_chk

From an NSX Manager shell, run the following command: > get password-complexity If the minimum numeric characters is not 1 or more, this is a finding. Note: If a maximum number of numeric characters has been configured, a minimum will not be shown.

Fix: F-67021r977405_fix

From an NSX Manager shell, run the following command: > set password-complexity digits -1 Note: Negative numbers indicate a minimum number of characters.

b

The NSX Manager must enforce password complexity by requiring that at least one special character be used for local accounts.

IA-5 - Medium - CCI-001619 - V-263214 - SV-263214r977409_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-001619

Version

NMGR-4X-000043

Vuln IDs

V-263214

Rule IDs

SV-263214r977409_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-67114r977407_chk

From an NSX Manager shell, run the following command: > get password-complexity If the minimum special characters is not 1 or more, this is a finding. Note: If a maximum number of special characters has been configured, a minimum will not be shown.

Fix: F-67022r977408_fix

From an NSX Manager shell, run the following command: > set password-complexity special-chars -1 Note: Negative numbers indicate a minimum number of characters.

b

The NSX Manager must require that when a password is changed, the characters are changed in at least eight of the positions within the password.

IA-5 - Medium - CCI-000195 - V-263215 - SV-263215r977412_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000195

Version

NMGR-4X-000044

Vuln IDs

V-263215

Rule IDs

SV-263215r977412_rule

If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-67115r977410_chk

From an NSX Manager shell, run the following command: > get password-complexity If the number of consecutive characters allowed for reuse is not eight or more, this is a finding. Note: If this has not previously been configured it will not be shown in the output.

Fix: F-67023r977411_fix

From an NSX Manager shell, run the following command: > set password-complexity max-repeats 8

c

The NSX Manager must terminate all network connections associated with a session after five minutes of inactivity.

SC-10 - High - CCI-001133 - V-263216 - SV-263216r977415_rule

RMF Control

SC-10

Severity

High

CCI

CCI-001133

Version

NMGR-4X-000052

Vuln IDs

V-263216

Rule IDs

SV-263216r977415_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take immediate control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-67116r977413_chk

From an NSX Manager shell, run the following command: > get service http | find Session Expected result: Session timeout: 300 If the session timeout is not configured to 300 or less, this is a finding. From an NSX Manager shell, run the following command: > get cli-timeout Expected result: 300 seconds If the CLI timeout is not configured to 300 or less, this is a finding.

Fix: F-67024r977414_fix

From an NSX Manager shell, run the following commands: > set service http session-timeout 300 > set cli-timeout 300

b

The NSX Manager must be configured to synchronize internal information system clocks using redundant authoritative time sources.

AU-8 - Medium - CCI-001893 - V-263217 - SV-263217r977418_rule

RMF Control

AU-8

Severity

Medium

CCI

CCI-001893

Version

NMGR-4X-000067

Vuln IDs

V-263217

Rule IDs

SV-263217r977418_rule

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Checks: C-67117r977416_chk

From the NSX Manager web interface, go to System >> Configuration >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and verify the NTP servers listed. or From an NSX Manager shell, run the following command: > get ntp-server If the output does not contain at least two authoritative time sources, this is a finding. If the output contains unknown or nonauthoritative time sources, this is a finding.

Fix: F-67025r977417_fix

To configure a profile to apply NTP servers to all NSX Manager nodes, do the following: From the NSX Manager web interface, go to System >> Configuration >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and then click "Edit". Under NTP servers, remove any unknown or nonauthoritative NTP servers, enter at least two authoritative servers, and then click "Save". or From an NSX Manager shell, run the following commands: > del ntp-server <server-ip or server-name> > set ntp-server <server-ip or server-name>

b

The NSX Manager must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).

AU-8 - Medium - CCI-001890 - V-263218 - SV-263218r1000969_rule

RMF Control

AU-8

Severity

Medium

CCI

CCI-001890

Version

NMGR-4X-000068

Vuln IDs

V-263218

Rule IDs

SV-263218r1000969_rule

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.

Checks: C-67118r977419_chk

From the NSX Manager web interface, go to System >> Configuration >> Fabric >> Profiles >> Node Profiles. Note: This check must be run from each NSX Manager as they are configured individually if done from the command line. Click "All NSX Nodes" and verify the time zone. or From an NSX Manager shell, run the following command: > get clock If system clock is not configured with the UTC time zone, this is a finding.

Fix: F-67026r977420_fix

To configure a profile to apply a time zone to all NSX Manager nodes, do the following: From the NSX Manager web interface, go to System >> Configuration >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes", and then click "Edit". In the time zone drop-down list, select "UTC", and then click "Save". or From an NSX Manager shell, run the following command: > set timezone UTC Note: This fix must be run from each NSX Manager as they are configured individually if done from the command line.

b

The NSX Manager must be configured to protect against denial-of-service (DoS) attacks by limit the number of concurrent sessions to an organization-defined number.

SC-5 - Medium - CCI-002385 - V-263219 - SV-263219r977424_rule

RMF Control

SC-5

Severity

Medium

CCI

CCI-002385

Version

NMGR-4X-000079

Vuln IDs

V-263219

Rule IDs

SV-263219r977424_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Limiting the number of concurrent open sessions helps limit the risk of DoS attacks. Organizations may define the maximum number of concurrent sessions for system accounts globally or by connection type. By default, the NSX Manager has a protection mechanism in place to prevent the API from being overloaded. This setting also addresses concurrent sessions for integrations into NSX API to monitor or configure NSX.

Checks: C-67119r977422_chk

From an NSX Manager shell, run the following command: > get service http | find limit Expected result: Client API concurrency limit: 40 connections Global API concurrency limit: 199 connections If the NSX does not limit the number of concurrent sessions to an organization-defined number, this is a finding.

Fix: F-67027r977423_fix

From an NSX Manager shell, run the following commands: > set service http client-api-concurrency-limit 40 > set service http global-api-concurrency-limit 199 Note: The limit numbers in this example, while not mandatory, are the vendor recommend options. Setting the limits to lower numbers in a large environment that is very busy may cause operational issues. Setting the limits higher may cause resource contention so should be tested and monitored.

c

The NSX Manager must be configured to send logs to a central log server.

AU-4 - High - CCI-001851 - V-263220 - SV-263220r977427_rule

RMF Control

AU-4

Severity

High

CCI

CCI-001851

Version

NMGR-4X-000087

Vuln IDs

V-263220

Rule IDs

SV-263220r977427_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Checks: C-67120r977425_chk

From the NSX Manager web interface, go to System >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and verify the Syslog servers listed. or From an NSX Manager shell, run the following command: > get logging-servers Note: This command must be run from each NSX Manager as they are configured individually. If no logging severs are configured or unauthorized logging servers are configured, this is a finding. If the log level is not set to INFO, this is a finding.

Fix: F-67028r977426_fix

To configure a profile to apply syslog servers to all NSX Manager nodes, do the following: From the NSX Manager web interface, go to System >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and then under "Syslog Servers" click "Add". Enter the syslog server details and choose "Information" for the log level and click "Add". or (Optional) From an NSX Manager shell, run the following command to clear any existing incorrect logging-servers: > clear logging-servers From an NSX Manager shell, run the following command to configure a udp/tcp syslog server: > set logging-server <server-ip or server-name> proto <tcp or udp> level info From an NSX Manager shell, run the following command to configure a TLS syslog server: > set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem From an NSX Manager shell, run the following command to configure an LI-TLS syslog server: > set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /image/vmware/nsx/file-store on each NSX-T Manager appliance.

a

The NSX Manager must not provide environment information to third parties.

CM-6 - Info - CCI-000366 - V-263221 - SV-263221r977430_rule

RMF Control

CM-6

Severity

Info

CCI

CCI-000366

Version

NMGR-4X-000088

Vuln IDs

V-263221

Rule IDs

SV-263221r977430_rule

Providing technical details about an environment's infrastructure to third parties could unknowingly expose sensitive information to bad actors if intercepted.

Checks: C-67121r977428_chk

From the NSX Manager web interface, go to System >> Settings >> General Settings >> Customer Program >> Customer Experience Improvement Program. If Joined is set to "Yes", this is a finding.

Fix: F-67029r977429_fix

From the NSX Manager web interface, go to System >> Settings >> General Settings >> Customer Program >> Customer Experience Improvement Program, and then click "Edit". Uncheck "Join the VMware Customer Experience Improvement Program" and click "Save".

b

The NSX Manager must be configured to conduct backups on an organizationally defined schedule.

CP-9 - Medium - CCI-000539 - V-263222 - SV-263222r977433_rule

RMF Control

CP-9

Severity

Medium

CCI

CCI-000539

Version

NMGR-4X-000093

Vuln IDs

V-263222

Rule IDs

SV-263222r977433_rule

Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not backed up, and a system failure were to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur. This control requires the network device to support the organizational central backup process for user account information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.

Checks: C-67122r977431_chk

From the NSX Manager web interface, go to System >> Lifecycle Management >> Backup and Restore to view the backup configuration. If backup is not configured and scheduled on a recurring frequency, this is a finding.

Fix: F-67030r977432_fix

To configure a backup destination, do the following: From the NSX Manager web interface, go to System >> Lifecycle Management >> Backup and Restore, and then click "Edit" next to SFTP Server. Enter the target SFTP server, Directory Path, Username, Password, SSH Fingerprint, and Passphrase, and then click "Save". To configure a backup schedule, do the following: From the NSX Manager web interface, go to System >> Lifecycle Management >> Backup and Restore, and then click "Edit" next to Schedule. Click the "Recurring Backup" toggle and configure an interval between backups. Enable "Detect NSX configuration change" to trigger backups on detection of configuration changes and specify an interval for detecting changes. Click "Save".

b

The NSX Manager must obtain its public key certificates from an appropriate certificate policy through an approved service provider.

CM-6 - Medium - CCI-000366 - V-263223 - SV-263223r977436_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

NMGR-4X-000094

Vuln IDs

V-263223

Rule IDs

SV-263223r977436_rule

For user certificates, each organization obtains certificates from an approved, shared service provider, as required by Office of Management and Budget (OMB) policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.

Checks: C-67123r977434_chk

NSX Manager uses a certificate for each manager and one for the cluster VIP. In some cases these are the same, but each node and cluster VIP certificate must be checked individually. Browse to the NSX Manager web interface for each node and cluster VIP and view the certificate and its issuer of the website. or From an NSX Manager shell, run the following commands: > get certificate api > get certificate cluster Save the output to a .cer file to examine. If the certificate the NSX Manager web interface or cluster is using is not issued by an approved certificate authority and is not currently valid, this is a finding.

Fix: F-67031r977435_fix

Obtain a certificate or certificates signed by an approved certification authority. This can be done individually by generating CSRs through the NSX Manager web interface >> System >> Settings >> Certificates >> CSRs >> Generate CSR or outside of NSX if a common manager and cluster certificate is desired. Import the certificate(s) into NSX by doing the following: From the NSX Manager web interface, go to System >> Settings >> Certificates >> Certificates >> Import >> Import Certificate. Provide a name for the certificate and paste the certificates contents and key. Uncheck "Service Certificate" and click "Import". After import, note the ID of the certificate(s). Using curl or another REST API client, perform the following API calls and replace the certificate IDs noted in the previous steps. To replace a managers certificate: POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=e61c7537-3090-4149-b2b6-19915c20504f To replace the cluster certificate: POST https://<nsx-mgr>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=d60c6a07-6e59-4873-8edb-339bf75711ac Note: If an NSX Intelligence appliance is deployed with the NSX Manager cluster, update the NSX Manager node IP, certificate, and thumbprint information that is on the NSX Intelligence appliance. Refer to the VMware Knowledge Base article https://kb.vmware.com/s/article/78505 for more information.

c

The NSX Manager must be running a release that is currently supported by the vendor.

CM-6 - High - CCI-000366 - V-263224 - SV-263224r977439_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

NMGR-4X-000096

Vuln IDs

V-263224

Rule IDs

SV-263224r977439_rule

Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.

Checks: C-67124r977437_chk

From the NSX Manager web interface, go to the System >> Lifecycle Management >> Upgrade. If the NSX Manager current version is not the latest approved for use in DOD and supported by the vendor, this is a finding.

Fix: F-67032r977438_fix

To upgrade NSX, reference the upgrade guide in the documentation for the relevant version being upgraded. Refer to the NSX documentation and release notes for information on the latest releases. https://docs.vmware.com/en/VMware-NSX/index.html If NSX is part of a VMware Cloud Foundation deployment, refer to that documentation for latest supported versions and upgrade guidance.

b

The NSX Manager must disable SSH.

CM-6 - Medium - CCI-000366 - V-263225 - SV-263225r977442_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

NMGR-4X-000097

Vuln IDs

V-263225

Rule IDs

SV-263225r977442_rule

The NSX shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the NSX shell is well suited for checking and modifying configuration details, not always generally accessible, using the web interface. The NSX shell is accessible remotely using SSH. Under normal operating conditions, SSH access to the managers must be disabled as is the default. As with the NSX shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the managers must therefore be limited to the web interface and API at all other times.

Checks: C-67125r977440_chk

From an NSX Manager shell, run the following command: > get service ssh Expected results: Service name: ssh Service state: stopped Start on boot: False If the SSH server is not stopped or starts on boot, this is a finding.

Fix: F-67033r977441_fix

From an NSX Manager shell, run the following command(s): > stop service ssh > clear service ssh start-on-boot

b

The NSX Manager must disable SNMP v2.

CM-6 - Medium - CCI-000366 - V-263226 - SV-263226r977445_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

NMGR-4X-000098

Vuln IDs

V-263226

Rule IDs

SV-263226r977445_rule

SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. As such, SNMPv1/2 receivers must be disabled.

Checks: C-67126r977443_chk

From the NSX Manager web interface, go to the System >> Configuration >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and view the SNMP Polling and Traps configuration. If SNMP v2c Polling or Traps are configured, this is a finding.

Fix: F-67034r977444_fix

From the NSX Manager web interface, go to the System >> Configuration >> Fabric >> Profiles >> Node Profiles. Click on "All NSX Nodes" and delete and v2c Polling or Trap configurations.

b

The NSX Manager must enable the global FIPS compliance mode for load balancers.

CM-6 - Medium - CCI-000366 - V-263227 - SV-263227r977448_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

NMGR-4X-000099

Vuln IDs

V-263227

Rule IDs

SV-263227r977448_rule

If unsecured protocols (lacking cryptographic mechanisms) are used for load balancing, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data at risk of compromise.

Checks: C-67127r977446_chk

From the NSX Manager web interface, go to the Home >> Monitoring Dashboards >> Compliance Report. Review the compliance report for code 72024 with description load balancer FIPS global setting disabled. Note: This may also be checked via the API call GET https://<nsx-mgr>/policy/api/v1/infra/global-config If the global FIPS setting is disabled for load balancers, this is a finding.

Fix: F-67035r977447_fix

Execute the following API call using curl or another REST API client: PUT https://<nsx-mgr>/policy/api/v1/infra/global-config Example request body: { "fips": { "lb_fips_enabled": true }, "resource_type": "GlobalConfig", "_revision": 2 } The global setting is used when the new load balancer instances are created. Changing the setting does not affect existing load balancer instances. To update existing load balancers to use this setting, do the following: From the NSX Manager web interface, go to the Networking >> Load Balancing and then click "Edit" on the target load balancer. In the attachment field, click the "X" to detach the load balancer from its current Gateway and click "Save". Edit the target load balancer again, reattach it to its Gateway, and then click "Save". Caution: Detaching a load balancer from the Tier-1 gateway results in a traffic interruption for the load balancer instance.

b

The NSX Manager must be configured as a cluster.

CM-6 - Medium - CCI-000366 - V-263228 - SV-263228r977451_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

NMGR-4X-000102

Vuln IDs

V-263228

Rule IDs

SV-263228r977451_rule

Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the SDN controller. Preserving network element state information helps to facilitate continuous network operations minimal or no disruption to mission-essential workload processes and flows.

Checks: C-67128r977449_chk

From the NSX Manager web interface, go to System >> Configuration >> Appliances. Verify three NSX Managers are deployed, a VIP or external load balancer is configured, and the cluster is in a healthy state. If there are not three NSX Managers deployed, a VIP or external load balancer configured, and the cluster is in a healthy state, this is a finding.

Fix: F-67036r977450_fix

To add additional NSX Manager appliances do the following: From the NSX Manager web interface, go to System >> Configuration >> Appliances, and then click "Add NSX Appliance". Supply the required information to add additional nodes as needed, up to three total. To configure NSX with a cluster VIP or external load balancer, do the following: From the NSX Manager web interface, go to System >> Configuration >> Appliances, and then click "Set Virtual IP", enter a VIP that is part of the same subnet as the other management nodes, and then click "Save". To configure NSX with an external load balancer, setup an external load balancer with the following requirements: - Configure the external load balancer to control traffic to the NSX Manager nodes. - Configure the external load balancer to use the round robin method and configure source persistence for the load balancer's virtual IP. - Create or import a signed certificate and apply the same certificate to all the NSX Manager nodes. The certificate must have the FQDN of the virtual IP and each of the nodes in the SAN. Note: An external load balancer will not work with the NSX Manager VIP. Do not configure an NSX Manager VIP if using an external load balancer. If the cluster status is not in a healthy state, identify the degraded component on the appliance and troubleshoot the issue with the error information provided.

b

The NSX Managers must be deployed on separate physical hosts.

CM-6 - Medium - CCI-000366 - V-263229 - SV-263229r977454_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

NMGR-4X-000103

Vuln IDs

V-263229

Rule IDs

SV-263229r977454_rule

SDN relies heavily on control messages between a controller and the forwarding devices for network convergence. The controller uses node and link state discovery information to calculate and determine optimum pathing within the SDN network infrastructure based on application, business, and security policies. Operating in the proactive flow instantiation mode, the SDN controller populates forwarding tables to the SDN-aware forwarding devices. At times, the SDN controller must function in reactive flow instantiation mode; that is, when a forwarding device receives a packet for a flow not found in its forwarding table, it must send it to the controller to receive forwarding instructions. With total dependence on the SDN controller for determining forwarding decisions and path optimization within the SDN infrastructure for both proactive and reactive flow modes of operation, having a single point of failure is not acceptable. A controller failure with no failover backup leaves the network in an unmanaged state. Hence, it is imperative that the SDN controllers are deployed as clusters on separate physical hosts to guarantee high network availability.

Checks: C-67129r977452_chk

This check must be performed in vCenter. From the vSphere Client, go to Administration >> Hosts and Clusters >> Select the cluster where the NSX Managers are deployed >> Configure >> Configuration >> VM/Host Rules. If the NSX Manager cluster does not have rules applied to it that separate the nodes onto different physical hosts, this is a finding.

Fix: F-67037r977453_fix

This fix must be performed in vCenter. From the vSphere Client, go to Administration >> Hosts and Clusters >> Select the cluster where the NSX Managers are deployed >> Configure >> Configuration >> VM/Host Rules. Click "Add" to create a new rule. Provide a name and select "Separate Virtual Machines" under Type. Add the three NSX Manager virtual machines to the list and click "OK".

VMware NSX 4.x Manager NDM Security Technical Implementation Guide

Compare

View

Checks: C-67102r977371_chk

Fix: F-67010r977372_fix

Generate Mitigation Statement:

Checks: C-67103r977374_chk

Fix: F-67011r977375_fix

Generate Mitigation Statement:

Checks: C-67104r977377_chk

Fix: F-67012r977378_fix

Generate Mitigation Statement:

Checks: C-67105r977380_chk

Fix: F-67013r977381_fix

Generate Mitigation Statement:

Checks: C-67106r977383_chk

Fix: F-67014r977384_fix

Generate Mitigation Statement:

Checks: C-67107r977386_chk

Fix: F-67015r977387_fix

Generate Mitigation Statement:

Checks: C-67108r977389_chk

Fix: F-67016r977390_fix

Generate Mitigation Statement:

Checks: C-67109r977392_chk

Fix: F-67017r977393_fix

Generate Mitigation Statement:

Checks: C-67110r977395_chk

Fix: F-67018r977396_fix

Generate Mitigation Statement:

Checks: C-67111r977398_chk

Fix: F-67019r977399_fix

Generate Mitigation Statement:

Checks: C-67112r977401_chk

Fix: F-67020r977402_fix

Generate Mitigation Statement:

Checks: C-67113r977404_chk

Fix: F-67021r977405_fix

Generate Mitigation Statement:

Checks: C-67114r977407_chk

Fix: F-67022r977408_fix

Generate Mitigation Statement:

Checks: C-67115r977410_chk

Fix: F-67023r977411_fix

Generate Mitigation Statement:

Checks: C-67116r977413_chk

Fix: F-67024r977414_fix

Generate Mitigation Statement:

Checks: C-67117r977416_chk

Fix: F-67025r977417_fix

Generate Mitigation Statement:

Checks: C-67118r977419_chk

Fix: F-67026r977420_fix

Generate Mitigation Statement:

Checks: C-67119r977422_chk

Fix: F-67027r977423_fix

Generate Mitigation Statement:

Checks: C-67120r977425_chk

Fix: F-67028r977426_fix

Generate Mitigation Statement:

Checks: C-67121r977428_chk

Fix: F-67029r977429_fix

Generate Mitigation Statement:

Checks: C-67122r977431_chk

Fix: F-67030r977432_fix

Generate Mitigation Statement:

Checks: C-67123r977434_chk

Fix: F-67031r977435_fix

Generate Mitigation Statement:

Checks: C-67124r977437_chk

Fix: F-67032r977438_fix

Generate Mitigation Statement:

Checks: C-67125r977440_chk

Fix: F-67033r977441_fix

Generate Mitigation Statement:

Checks: C-67126r977443_chk

Fix: F-67034r977444_fix

Generate Mitigation Statement:

Checks: C-67127r977446_chk

Fix: F-67035r977447_fix