VMware NSX 4.x Manager NDM Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2024-12-13
  • Released: 2025-01-30
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The NSX Manager must configure logging levels for services to ensure audit records are generated.
AC-2 - Medium - CCI-001403 - V-265289 - SV-265289r994090_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
NMGR-4X-000007
Vuln IDs
  • V-265289
Rule IDs
  • SV-265289r994090_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter). Satisfies: SRG-APP-000027-NDM-000209, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323, SRG-APP-000516-NDM-000334
Checks: C-69206r994088_chk

From an NSX Manager shell, run the following commands: > get service async_replicator | find Logging > get service auth | find Logging > get service http | find Logging > get service manager | find Logging > get service telemetry | find Logging Expected result: Logging level: info If any service listed does not have logging level configured to "info", this is a finding.

Fix: F-69114r994089_fix

From an NSX Manager shell, run the following commands: > set service async_replicator logging-level info > set service auth logging-level info > set service http logging-level info > set service manager logging-level info > set service telemetry logging-level info

c
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.
AC-3 - High - CCI-000213 - V-265292 - SV-265292r994099_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
NMGR-4X-000010
Vuln IDs
  • V-265292
Rule IDs
  • SV-265292r994099_rule
The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. Users must be assigned to roles which are configured with approved authorizations and access permissions. The NSX Manager must be configured granularly based on organization requirements to only allow authorized administrators to execute privileged functions. Role assignments should control which administrators can view or change the device configuration, system files, and locally stored audit information. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000038-NDM-000213, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000133-NDM-000244, SRG-APP-000231-NDM-000271, SRG-APP-000329-NDM-000287, SRG-APP-000340-NDM-000288, SRG-APP-000378-NDM-000302, SRG-APP-000380-NDM-000304, SRG-APP-000408-NDM-000314, SRG-APP-000516-NDM-000335
Checks: C-69209r994097_chk

From the NSX Manager web interface, go to System >> Settings >> User Management >> User Role Assignment. View each user and group and verify the role assigned has authorization limits as appropriate to the role and in accordance with the site's documentation. If any user/group or service account are assigned to roles with privileges that are beyond those required and authorized by the organization, this is a finding.

Fix: F-69117r994098_fix

To create a new role with reduced permissions, do the following: From the NSX Manager web interface, go to System >> Settings >> User Management >> Roles. Click "Add Role", provide a name and the required permissions, and then click "Save". To update user or group permissions to an existing role with reduced permissions, do the following: From the NSX Manager web interface, go to System >> User Management >> User Role Assignment. Click the menu dropdown next to the target user or group and select "Edit". Remove the existing role, select the new one, and then click "Save".

b
The NSX Manager must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
AC-7 - Medium - CCI-000044 - V-265293 - SV-265293r994102_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
NMGR-4X-000012
Vuln IDs
  • V-265293
Rule IDs
  • SV-265293r994102_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Checks: C-69210r994100_chk

From an NSX Manager shell, run the following commands: > get auth-policy api lockout-reset-period Expected result: 900 seconds If the output does not match the expected result, this is a finding. > get auth-policy api lockout-period Expected result: 900 seconds If the output does not match the expected result, this is a finding. > get auth-policy api max-auth-failures Expected result: 3 If the output does not match the expected result, this is a finding. > get auth-policy cli lockout-period Expected result: 900 seconds If the output does not match the expected result, this is a finding. > get auth-policy cli max-auth-failures Expected result: 3 If the output does not match the expected result, this is a finding.

Fix: F-69118r994101_fix

From an NSX Manager shell, run the following commands: > set auth-policy api lockout-reset-period 900 > set auth-policy api lockout-period 900 > set auth-policy api max-auth-failures 3 > set auth-policy cli lockout-period 900 > set auth-policy cli max-auth-failures 3

b
The NSX Manager must display the Standard Mandatory DOD Notice and Consent Banner before granting access.
AC-8 - Medium - CCI-000048 - V-265294 - SV-265294r994105_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
NMGR-4X-000013
Vuln IDs
  • V-265294
Rule IDs
  • SV-265294r994105_rule
Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.
Checks: C-69211r994103_chk

Determine if the network device is configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060. From the NSX Manager web interface, go to System >> Settings >> General Settings >> User Interface. Review the Login Consent Settings. If the "Consent Message Description" does not contain the Standard Mandatory DOD Notice and Consent Banner verbiage, this is a finding. The Standard Mandatory DOD Notice and Consent Banner verbiage is as follows: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Fix: F-69119r994104_fix

From the NSX Manager web interface, go to System >> Settings >> General Settings >> User Interface. Under Login Consent Settings click "Edit". Enter the banner language in the "Consent Message Description" text box, formatted in accordance with DTM-08-060, and click "Save". "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

b
The NSX Manager must retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
AC-8 - Medium - CCI-000050 - V-265295 - SV-265295r994108_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000050
Version
NMGR-4X-000014
Vuln IDs
  • V-265295
Rule IDs
  • SV-265295r994108_rule
The banner must be acknowledged by the administrator prior to the device allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DOD will not be in compliance with system use notifications required by law. To establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement. In the case of CLI access using a terminal client, entering the username and password when the banner is presented is considered an explicit action of acknowledgement. Entering the username, viewing the banner, then entering the password is also acceptable.
Checks: C-69212r994106_chk

From the NSX Manager web interface, go to System >> Settings >> General Settings >> User Interface. Review the Login Consent Settings. Verify "Login Consent" is not On. Verify "Require Explicit User Consent" is set to Yes. If the Standard Mandatory DOD Notice and Consent Banner is not retained on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access, this is a finding.

Fix: F-69120r994107_fix

From the NSX Manager web interface, go to System >> Settings >> General Settings >> User Interface. Under Login Consent Settings, click "Edit". Toggle "Login Consent" to On. Toggle "Require Explicit User Consent" to Yes. Note: The banner text is also entered; however, that is covered by NMGR-4X-000013.

c
The NSX Manager must be configured to integrate with an identity provider that supports multifactor authentication (MFA).
AU-10 - High - CCI-000166 - V-265296 - SV-265296r994111_rule
RMF Control
AU-10
Severity
High
CCI
CCI-000166
Version
NMGR-4X-000015
Vuln IDs
  • V-265296
Rule IDs
  • SV-265296r994111_rule
Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. This requirement also supports nonrepudiation of actions taken by an administrator. This requirement ensures the NSX Manager is configured to use a centralized authentication services to authenticate users prior to granting administrative access. As of NSX 4.1 and vCenter 8.0 Update 2, NSX Manager administrator access can also be configured by connecting VMware NSX to the Workspace ONE Access Broker in VMware vCenter for federated identity. Refer to the NSX product documentation to configure this access option. Satisfies: SRG-APP-000080-NDM-000220, SRG-APP-000149-NDM-000247, SRG-APP-000516-NDM-000336
Checks: C-69213r994109_chk

From the NSX Manager web interface, go to System >> Settings >> Users Management >> Authentication Providers. Verify that the "VMware Identity Manager" and "OpenID Connect" tabs are configured. If NSX is not configured to integrate with an identity provider that supports MFA, this is a finding.

Fix: F-69121r994110_fix

To configure NSX to integrate with VMware Identity Manager or Workspace ONE Access, as the authentication source, do the following: From the NSX Manager web interface, go to System >> Users and Roles >> VMware Identity Manager and click "Edit". If using an external load balancer for the NSX Management cluster, enable "External Load Balancer Integration". If using a cluster VIP, leave this disabled. Click the toggle button to enable "VMware Identity Manager Integration". Enter the VMware Identity Manager or Workspace ONE Access appliance name, OAuth Client ID, OAuth Client Secret, and certificate thumbprint as provided by the administrators. Enter the NSX Appliance FQDN. For a cluster, enter the load balancer FQDN or cluster VIP FQDN. Click "Save", import users and groups, and then assign them roles. (The users are not actually local and remain in the authentication/AAA server.) Note: As of NSX 4.1 and vCenter 8.0 Update 2, NSX Manager administrator access can also be configured by connecting VMware NSX to the Workspace ONE Access Broker in VMware vCenter for federated identity. Refer to the NSX product documentation to configure this access option. Ensure the identity provider administrators have configured the provider to support multi-factor authentication.

b
The NSX Manager must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
AC-2 - Medium - CCI-001358 - V-265313 - SV-265313r1051115_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001358
Version
NMGR-4X-000035
Vuln IDs
  • V-265313
Rule IDs
  • SV-265313r1051115_rule
Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.
Checks: C-69230r994160_chk

From the NSX Manager web interface, go to the System >> Settings >> User Management >> Local Users and view the status column. If any local account other than the account of last resort are active, this is a finding.

Fix: F-69138r994161_fix

From the NSX Manager web interface, go to the System >> Settings >> User Management >> Local Users. Select the menu drop down next to any local user on the list except for the "admin" account. Click modify and click "Deactivate User".

c
The NSX Manager must only enable TLS 1.2 or greater.
IA-2 - High - CCI-001941 - V-265315 - SV-265315r994168_rule
RMF Control
IA-2
Severity
High
CCI
CCI-001941
Version
NMGR-4X-000038
Vuln IDs
  • V-265315
Rule IDs
  • SV-265315r994168_rule
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. Configuration of TLS on the NSX also ensures that passwords are not transmitted in the clear. TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 or greater must be enabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Satisfies: SRG-APP-000156-NDM-000250, SRG-APP-000172-NDM-000259
Checks: C-69232r994166_chk

Viewing TLS protocol enablement must be done via the API. Execute the following API call using curl or another REST API client: GET https://<nsx-mgr>/api/v1/cluster/api-service Example result: "protocol_versions": [ { "name": "TLSv1.1", "enabled": false }, { "name": "TLSv1.2", "enabled": true }, { "name": "TLSv1.3", "enabled": true } ] If TLS 1.1 is enabled, this is a finding.

Fix: F-69140r994167_fix

Capture the output from the check GET command and update the TLS 1.1 protocol to false. Run the following API call using curl or another REST API client: PUT https://<nsx-mgr>/api/v1/cluster/api-service Example request body: { "session_timeout": 1800, "connection_timeout": 30, "protocol_versions": [ { "name": "TLSv1.1", "enabled": false }, { "name": "TLSv1.2", "enabled": true }, { "name": "TLSv1.3", "enabled": true } ], "cipher_suites": [ { "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_RSA_WITH_AES_128_CBC_SHA", "enabled": true }, { "name": "TLS_RSA_WITH_AES_128_CBC_SHA256", "enabled": true }, { "name": "TLS_RSA_WITH_AES_128_GCM_SHA256", "enabled": true }, { "name": "TLS_RSA_WITH_AES_256_CBC_SHA", "enabled": true }, { "name": "TLS_RSA_WITH_AES_256_CBC_SHA256", "enabled": true }, { "name": "TLS_RSA_WITH_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_AES_128_GCM_SHA256", "enabled": true }, { "name": "TLS_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_CHACHA20_POLY1305_SHA256", "enabled": true } ], "redirect_host": "", "client_api_rate_limit": 100, "global_api_concurrency_limit": 199, "client_api_concurrency_limit": 40, "basic_authentication_enabled": true, "cookie_based_authentication_enabled": true, "resource_type": "ApiServiceConfig", "id": "reverse_proxy_config", "display_name": "reverse_proxy_config", "_create_time": 1703175890703, "_create_user": "system", "_last_modified_time": 1703175890703, "_last_modified_user": "system", "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Note: Changes are applied to all nodes in the cluster. The API service on each node will restart after it is updated using this API. There may be a delay of up to a minute or so between the time this API call completes and when the new configuration goes into effect.

b
The NSX Manager must enforce a minimum 15-character password length for local accounts.
IA-5 - Medium - CCI-000205 - V-265316 - SV-265316r994171_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
NMGR-4X-000039
Vuln IDs
  • V-265316
Rule IDs
  • SV-265316r994171_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-69233r994169_chk

From an NSX Manager shell, run the following command: &gt; get password-complexity If the minimum password length is not 15 or greater, this is a finding.

Fix: F-69141r994170_fix

From an NSX Manager shell, run the following command: > set password-complexity minimum-password-length 15

b
The NSX Manager must enforce password complexity by requiring that at least one uppercase character be used for local accounts.
IA-5 - Medium - CCI-000192 - V-265317 - SV-265317r994174_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
NMGR-4X-000040
Vuln IDs
  • V-265317
Rule IDs
  • SV-265317r994174_rule
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using public key infrastructure (PKI) is not available, and for the account of last resort and root account.
Checks: C-69234r994172_chk

From an NSX Manager shell, run the following command: &gt; get password-complexity If the minimum uppercase characters is not 1 or more, this is a finding. Note: If a maximum number of uppercase characters has been configured a minimum will not be shown.

Fix: F-69142r994173_fix

From an NSX Manager shell, run the following command: > set password-complexity upper-chars -1 Note: Negative numbers indicate a minimum number of characters.

b
The NSX Manager must enforce password complexity by requiring that at least one lowercase character be used for local accounts.
IA-5 - Medium - CCI-000193 - V-265318 - SV-265318r994177_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
NMGR-4X-000041
Vuln IDs
  • V-265318
Rule IDs
  • SV-265318r994177_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-69235r994175_chk

From an NSX Manager shell, run the following command: &gt; get password-complexity If the minimum lowercase characters is not 1 or more, this is a finding. Note: If a maximum number of lowercase characters has been configured, a minimum will not be shown.

Fix: F-69143r994176_fix

From an NSX Manager shell, run the following command: > set password-complexity lower-chars -1 Note: Negative numbers indicate a minimum number of characters.

b
The NSX Manager must enforce password complexity by requiring that at least one numeric character be used for local accounts.
IA-5 - Medium - CCI-000194 - V-265319 - SV-265319r994180_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
NMGR-4X-000042
Vuln IDs
  • V-265319
Rule IDs
  • SV-265319r994180_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-69236r994178_chk

From an NSX Manager shell, run the following command: &gt; get password-complexity If the minimum numeric characters is not 1 or more, this is a finding. Note: If a maximum number of numeric characters has been configured, a minimum will not be shown.

Fix: F-69144r994179_fix

From an NSX Manager shell, run the following command: > set password-complexity digits -1 Note: Negative numbers indicate a minimum number of characters.

b
The NSX Manager must enforce password complexity by requiring that at least one special character be used for local accounts.
IA-5 - Medium - CCI-001619 - V-265320 - SV-265320r994183_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
NMGR-4X-000043
Vuln IDs
  • V-265320
Rule IDs
  • SV-265320r994183_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-69237r994181_chk

From an NSX Manager shell, run the following command: &gt; get password-complexity If the minimum special characters is not 1 or more, this is a finding. Note: If a maximum number of special characters has been configured, a minimum will not be shown.

Fix: F-69145r994182_fix

From an NSX Manager shell, run the following command: > set password-complexity special-chars -1 Note: Negative numbers indicate a minimum number of characters.

b
The NSX Manager must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
IA-5 - Medium - CCI-000195 - V-265321 - SV-265321r1043189_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000195
Version
NMGR-4X-000044
Vuln IDs
  • V-265321
Rule IDs
  • SV-265321r1043189_rule
If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-69238r994184_chk

From an NSX Manager shell, run the following command: &gt; get password-complexity If the number of consecutive characters allowed for reuse is not eight or more, this is a finding. Note: If this has not previously been configured it will not be shown in the output.

Fix: F-69146r994185_fix

From an NSX Manager shell, run the following command: > set password-complexity max-repeats 8

c
The NSX Manager must terminate all network connections associated with a session after five minutes of inactivity.
SC-10 - High - CCI-001133 - V-265327 - SV-265327r994204_rule
RMF Control
SC-10
Severity
High
CCI
CCI-001133
Version
NMGR-4X-000052
Vuln IDs
  • V-265327
Rule IDs
  • SV-265327r994204_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take immediate control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-APP-000190-NDM-000267, SRG-APP-000186-NDM-000266, SRG-APP-000400-NDM-000313
Checks: C-69244r994202_chk

From an NSX Manager shell, run the following command: &gt; get service http | find Session Expected result: Session timeout: 300 If the session timeout is not configured to 300 or less, this is a finding. From an NSX Manager shell, run the following command: &gt; get cli-timeout Expected result: 300 seconds If the CLI timeout is not configured to 300 or less, this is a finding.

Fix: F-69152r994203_fix

From an NSX Manager shell, run the following commands: > set service http session-timeout 300 > set cli-timeout 300

b
The NSX Manager must be configured to synchronize internal information system clocks using redundant authoritative time sources.
AU-8 - Medium - CCI-001893 - V-265338 - SV-265338r994237_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001893
Version
NMGR-4X-000067
Vuln IDs
  • V-265338
Rule IDs
  • SV-265338r994237_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-69255r994235_chk

From the NSX Manager web interface, go to System &gt;&gt; Configuration &gt;&gt; Fabric &gt;&gt; Profiles &gt;&gt; Node Profiles. Click "All NSX Nodes" and verify the NTP servers listed. or From an NSX Manager shell, run the following command: &gt; get ntp-server If the output does not contain at least two authoritative time sources, this is a finding. If the output contains unknown or nonauthoritative time sources, this is a finding.

Fix: F-69163r994236_fix

To configure a profile to apply NTP servers to all NSX Manager nodes, do the following: From the NSX Manager web interface, go to System >> Configuration >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and then click "Edit". Under NTP servers, remove any unknown or nonauthoritative NTP servers, enter at least two authoritative servers, and then click "Save". or From an NSX Manager shell, run the following commands: > del ntp-server <server-ip or server-name> > set ntp-server <server-ip or server-name>

b
The NSX Manager must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).
AU-8 - Medium - CCI-001890 - V-265339 - SV-265339r994240_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
NMGR-4X-000068
Vuln IDs
  • V-265339
Rule IDs
  • SV-265339r994240_rule
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
Checks: C-69256r994238_chk

From the NSX Manager web interface, go to System &gt;&gt; Configuration &gt;&gt; Fabric &gt;&gt; Profiles &gt;&gt; Node Profiles. Note: This check must be run from each NSX Manager as they are configured individually if done from the command line. Click "All NSX Nodes" and verify the time zone. or From an NSX Manager shell, run the following command: &gt; get clock If system clock is not configured with the UTC time zone, this is a finding.

Fix: F-69164r994239_fix

To configure a profile to apply a time zone to all NSX Manager nodes, do the following: From the NSX Manager web interface, go to System >> Configuration >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes", and then click "Edit". In the time zone drop-down list, select "UTC", and then click "Save". or From an NSX Manager shell, run the following command: > set timezone UTC Note: This fix must be run from each NSX Manager as they are configured individually if done from the command line.

b
The NSX Manager must be configured to protect against denial-of-service (DoS) attacks by limit the number of concurrent sessions to an organization-defined number.
SC-5 - Medium - CCI-002385 - V-265346 - SV-265346r994261_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
NMGR-4X-000079
Vuln IDs
  • V-265346
Rule IDs
  • SV-265346r994261_rule
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Limiting the number of concurrent open sessions helps limit the risk of DoS attacks. Organizations may define the maximum number of concurrent sessions for system accounts globally or by connection type. By default, the NSX Manager has a protection mechanism in place to prevent the API from being overloaded. This setting also addresses concurrent sessions for integrations into NSX API to monitor or configure NSX. Satisfies: SRG-APP-000435-NDM-000315, SRG-APP-000001-NDM-000200
Checks: C-69263r994259_chk

From an NSX Manager shell, run the following command: &gt; get service http | find limit Expected result: Client API concurrency limit: 40 connections Global API concurrency limit: 199 connections If the NSX does not limit the number of concurrent sessions to an organization-defined number, this is a finding.

Fix: F-69171r994260_fix

From an NSX Manager shell, run the following commands: > set service http client-api-concurrency-limit 40 > set service http global-api-concurrency-limit 199 Note: The limit numbers in this example, while not mandatory, are the vendor recommend options. Setting the limits to lower numbers in a large environment that is very busy may cause operational issues. Setting the limits higher may cause resource contention so should be tested and monitored.

c
The NSX Manager must be configured to send logs to a central log server.
AU-4 - High - CCI-001851 - V-265348 - SV-265348r994267_rule
RMF Control
AU-4
Severity
High
CCI
CCI-001851
Version
NMGR-4X-000087
Vuln IDs
  • V-265348
Rule IDs
  • SV-265348r994267_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000515-NDM-000325, SRG-APP-000357-NDM-000293, SRG-APP-000516-NDM-000350
Checks: C-69265r994265_chk

From the NSX Manager web interface, go to System &gt;&gt; Fabric &gt;&gt; Profiles &gt;&gt; Node Profiles. Click "All NSX Nodes" and verify the Syslog servers listed. or From an NSX Manager shell, run the following command: &gt; get logging-servers Note: This command must be run from each NSX Manager as they are configured individually. If no logging severs are configured or unauthorized logging servers are configured, this is a finding. If the log level is not set to INFO, this is a finding.

Fix: F-69173r994266_fix

To configure a profile to apply syslog servers to all NSX Manager nodes, do the following: From the NSX Manager web interface, go to System >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and then under "Syslog Servers" click "Add". Enter the syslog server details and choose "Information" for the log level and click "Add". or (Optional) From an NSX Manager shell, run the following command to clear any existing incorrect logging-servers: > clear logging-servers From an NSX Manager shell, run the following command to configure a udp/tcp syslog server: > set logging-server <server-ip or server-name> proto <tcp or udp> level info From an NSX Manager shell, run the following command to configure a TLS syslog server: > set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem From an NSX Manager shell, run the following command to configure an LI-TLS syslog server: > set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /image/vmware/nsx/file-store on each NSX-T Manager appliance.

a
The NSX Manager must not provide environment information to third parties.
CM-6 - Low - CCI-000366 - V-265349 - SV-265349r994270_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
NMGR-4X-000088
Vuln IDs
  • V-265349
Rule IDs
  • SV-265349r994270_rule
Providing technical details about an environment's infrastructure to third parties could unknowingly expose sensitive information to bad actors if intercepted.
Checks: C-69266r994268_chk

From the NSX Manager web interface, go to System &gt;&gt; Settings &gt;&gt; General Settings &gt;&gt; Customer Program &gt;&gt; Customer Experience Improvement Program. If Joined is set to "Yes", this is a finding.

Fix: F-69174r994269_fix

From the NSX Manager web interface, go to System >> Settings >> General Settings >> Customer Program >> Customer Experience Improvement Program, and then click "Edit". Uncheck "Join the VMware Customer Experience Improvement Program" and click "Save".

b
The NSX Manager must be configured to conduct backups on an organizationally defined schedule.
CP-9 - Medium - CCI-000539 - V-265350 - SV-265350r994273_rule
RMF Control
CP-9
Severity
Medium
CCI
CCI-000539
Version
NMGR-4X-000093
Vuln IDs
  • V-265350
Rule IDs
  • SV-265350r994273_rule
Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not backed up, and a system failure were to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur. This control requires the network device to support the organizational central backup process for user account information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups. Satisfies: SRG-APP-000516-NDM-000341, SRG-APP-000516-NDM-000340
Checks: C-69267r994271_chk

From the NSX Manager web interface, go to System &gt;&gt; Lifecycle Management &gt;&gt; Backup and Restore to view the backup configuration. If backup is not configured and scheduled on a recurring frequency, this is a finding.

Fix: F-69175r994272_fix

To configure a backup destination, do the following: From the NSX Manager web interface, go to System >> Lifecycle Management >> Backup and Restore, and then click "Edit" next to SFTP Server. Enter the target SFTP server, Directory Path, Username, Password, SSH Fingerprint, and Passphrase, and then click "Save". To configure a backup schedule, do the following: From the NSX Manager web interface, go to System >> Lifecycle Management >> Backup and Restore, and then click "Edit" next to Schedule. Click the "Recurring Backup" toggle and configure an interval between backups. Enable "Detect NSX configuration change" to trigger backups on detection of configuration changes and specify an interval for detecting changes. Click "Save".

b
The NSX Manager must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
CM-6 - Medium - CCI-000366 - V-265351 - SV-265351r994276_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
NMGR-4X-000094
Vuln IDs
  • V-265351
Rule IDs
  • SV-265351r994276_rule
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by Office of Management and Budget (OMB) policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.
Checks: C-69268r994274_chk

NSX Manager uses a certificate for each manager and one for the cluster VIP. In some cases these are the same, but each node and cluster VIP certificate must be checked individually. Browse to the NSX Manager web interface for each node and cluster VIP and view the certificate and its issuer of the website. or From an NSX Manager shell, run the following commands: &gt; get certificate api &gt; get certificate cluster Save the output to a .cer file to examine. If the certificate the NSX Manager web interface or cluster is using is not issued by an approved certificate authority and is not currently valid, this is a finding.

Fix: F-69176r994275_fix

Obtain a certificate or certificates signed by an approved certification authority. This can be done individually by generating CSRs through the NSX Manager web interface >> System >> Settings >> Certificates >> CSRs >> Generate CSR or outside of NSX if a common manager and cluster certificate is desired. Import the certificate(s) into NSX by doing the following: From the NSX Manager web interface, go to System >> Settings >> Certificates >> Certificates >> Import >> Import Certificate. Provide a name for the certificate and paste the certificates contents and key. Uncheck "Service Certificate" and click "Import". After import, note the ID of the certificate(s). Using curl or another REST API client, perform the following API calls and replace the certificate IDs noted in the previous steps. To replace a managers certificate: POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=e61c7537-3090-4149-b2b6-19915c20504f To replace the cluster certificate: POST https://<nsx-mgr>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=d60c6a07-6e59-4873-8edb-339bf75711ac Note: If an NSX Intelligence appliance is deployed with the NSX Manager cluster, update the NSX Manager node IP, certificate, and thumbprint information that is on the NSX Intelligence appliance. Refer to the VMware Knowledge Base article https://kb.vmware.com/s/article/78505 for more information.

c
The NSX Manager must be running a release that is currently supported by the vendor.
CM-6 - High - CCI-000366 - V-265352 - SV-265352r994279_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
NMGR-4X-000096
Vuln IDs
  • V-265352
Rule IDs
  • SV-265352r994279_rule
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.
Checks: C-69269r994277_chk

From the NSX Manager web interface, go to the System &gt;&gt; Lifecycle Management &gt;&gt; Upgrade. If the NSX Manager current version is not the latest approved for use in DOD and supported by the vendor, this is a finding.

Fix: F-69177r994278_fix

To upgrade NSX, reference the upgrade guide in the documentation for the relevant version being upgraded. Refer to the NSX documentation and release notes for information on the latest releases. https://docs.vmware.com/en/VMware-NSX/index.html If NSX is part of a VMware Cloud Foundation deployment, refer to that documentation for latest supported versions and upgrade guidance.

b
The NSX Manager must disable SSH.
CM-6 - Medium - CCI-000366 - V-265353 - SV-265353r994282_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
NMGR-4X-000097
Vuln IDs
  • V-265353
Rule IDs
  • SV-265353r994282_rule
The NSX shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the NSX shell is well suited for checking and modifying configuration details, not always generally accessible, using the web interface. The NSX shell is accessible remotely using SSH. Under normal operating conditions, SSH access to the managers must be disabled as is the default. As with the NSX shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the managers must therefore be limited to the web interface and API at all other times.
Checks: C-69270r994280_chk

From an NSX Manager shell, run the following command: &gt; get service ssh Expected results: Service name: ssh Service state: stopped Start on boot: False If the SSH server is not stopped or starts on boot, this is a finding.

Fix: F-69178r994281_fix

From an NSX Manager shell, run the following command(s): > stop service ssh > clear service ssh start-on-boot

b
The NSX Manager must disable SNMP v2.
CM-6 - Medium - CCI-000366 - V-265354 - SV-265354r994285_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
NMGR-4X-000098
Vuln IDs
  • V-265354
Rule IDs
  • SV-265354r994285_rule
SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. As such, SNMPv1/2 receivers must be disabled.
Checks: C-69271r994283_chk

From the NSX Manager web interface, go to the System &gt;&gt; Configuration &gt;&gt; Fabric &gt;&gt; Profiles &gt;&gt; Node Profiles. Click "All NSX Nodes" and view the SNMP Polling and Traps configuration. If SNMP v2c Polling or Traps are configured, this is a finding.

Fix: F-69179r994284_fix

From the NSX Manager web interface, go to the System >> Configuration >> Fabric >> Profiles >> Node Profiles. Click on "All NSX Nodes" and delete and v2c Polling or Trap configurations.

b
The NSX Manager must enable the global FIPS compliance mode for load balancers.
CM-6 - Medium - CCI-000366 - V-265355 - SV-265355r994288_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
NMGR-4X-000099
Vuln IDs
  • V-265355
Rule IDs
  • SV-265355r994288_rule
If unsecured protocols (lacking cryptographic mechanisms) are used for load balancing, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data at risk of compromise.
Checks: C-69272r994286_chk

From the NSX Manager web interface, go to the Home &gt;&gt; Monitoring Dashboards &gt;&gt; Compliance Report. Review the compliance report for code 72024 with description load balancer FIPS global setting disabled. Note: This may also be checked via the API call GET https://&lt;nsx-mgr&gt;/policy/api/v1/infra/global-config If the global FIPS setting is disabled for load balancers, this is a finding.

Fix: F-69180r994287_fix

Execute the following API call using curl or another REST API client: PUT https://<nsx-mgr>/policy/api/v1/infra/global-config Example request body: { "fips": { "lb_fips_enabled": true }, "resource_type": "GlobalConfig", "_revision": 2 } The global setting is used when the new load balancer instances are created. Changing the setting does not affect existing load balancer instances. To update existing load balancers to use this setting, do the following: From the NSX Manager web interface, go to the Networking >> Load Balancing and then click "Edit" on the target load balancer. In the attachment field, click the "X" to detach the load balancer from its current Gateway and click "Save". Edit the target load balancer again, reattach it to its Gateway, and then click "Save". Caution: Detaching a load balancer from the Tier-1 gateway results in a traffic interruption for the load balancer instance.

b
The NSX Manager must be configured as a cluster.
SC-5 - Medium - CCI-002385 - V-265358 - SV-265358r994297_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
NMGR-4X-000102
Vuln IDs
  • V-265358
Rule IDs
  • SV-265358r994297_rule
Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the SDN controller. Preserving network element state information helps to facilitate continuous network operations minimal or no disruption to mission-essential workload processes and flows.
Checks: C-69275r994295_chk

From the NSX Manager web interface, go to System &gt;&gt; Configuration &gt;&gt; Appliances. Verify three NSX Managers are deployed, a VIP or external load balancer is configured, and the cluster is in a healthy state. If three NSX Managers are not deployed, a VIP or external load balancer is not configured, and the cluster is not in a healthy state, this is a finding.

Fix: F-69183r994296_fix

To add additional NSX Manager appliances do the following: From the NSX Manager web interface, go to System >> Configuration >> Appliances, and then click "Add NSX Appliance". Supply the required information to add additional nodes as needed, up to three total. To configure NSX with a cluster VIP or external load balancer, do the following: From the NSX Manager web interface, go to System >> Configuration >> Appliances, and then click "Set Virtual IP", enter a VIP that is part of the same subnet as the other management nodes, and then click "Save". To configure NSX with an external load balancer, setup an external load balancer with the following requirements: - Configure the external load balancer to control traffic to the NSX Manager nodes. - Configure the external load balancer to use the round robin method and configure source persistence for the load balancer's virtual IP. - Create or import a signed certificate and apply the same certificate to all the NSX Manager nodes. The certificate must have the FQDN of the virtual IP and each of the nodes in the SAN. Note: An external load balancer will not work with the NSX Manager VIP. Do not configure an NSX Manager VIP if using an external load balancer. If the cluster status is not in a healthy state, identify the degraded component on the appliance and troubleshoot the issue with the error information provided.

b
The NSX Managers must be deployed on separate physical hosts.
SC-5 - Medium - CCI-002385 - V-265359 - SV-265359r994300_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
NMGR-4X-000103
Vuln IDs
  • V-265359
Rule IDs
  • SV-265359r994300_rule
SDN relies heavily on control messages between a controller and the forwarding devices for network convergence. The controller uses node and link state discovery information to calculate and determine optimum pathing within the SDN network infrastructure based on application, business, and security policies. Operating in the proactive flow instantiation mode, the SDN controller populates forwarding tables to the SDN-aware forwarding devices. At times, the SDN controller must function in reactive flow instantiation mode; that is, when a forwarding device receives a packet for a flow not found in its forwarding table, it must send it to the controller to receive forwarding instructions. With total dependence on the SDN controller for determining forwarding decisions and path optimization within the SDN infrastructure for both proactive and reactive flow modes of operation, having a single point of failure is not acceptable. A controller failure with no failover backup leaves the network in an unmanaged state. Hence, it is imperative that the SDN controllers are deployed as clusters on separate physical hosts to guarantee high network availability.
Checks: C-69276r994298_chk

This check must be performed in vCenter. From the vSphere Client, go to Administration &gt;&gt; Hosts and Clusters &gt;&gt; Select the cluster where the NSX Managers are deployed &gt;&gt; Configure &gt;&gt; Configuration &gt;&gt; VM/Host Rules. If the NSX Manager cluster does not have rules applied to it that separate the nodes onto different physical hosts, this is a finding.

Fix: F-69184r994299_fix

This fix must be performed in vCenter. From the vSphere Client, go to Administration >> Hosts and Clusters >> Select the cluster where the NSX Managers are deployed >> Configure >> Configuration >> VM/Host Rules. Click "Add" to create a new rule. Provide a name and select "Separate Virtual Machines" under Type. Add the three NSX Manager virtual machines to the list and click "OK".