Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway >> Interfaces and GRE Tunnels, and click on the number of interfaces present to open the interfaces dialog. Expand each interface that is not required to support multicast routing, then expand "Multicast" and verify PIM is disabled. If PIM is enabled on any interfaces that are not supporting multicast routing, this is a finding.
Disable multicast PIM routing on interfaces that are not required to support multicast by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces and GRE Tunnels", click on the number of interfaces present to open the interfaces dialog, and then select "Edit" on the target interface. Expand "Multicast", change PIM to "disabled", and then click "Save".
From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway >> Interfaces and GRE Tunnels, and click on the number of interfaces present to open the interfaces dialog. Review each interface present to determine if they are not in use or inactive. If there are any interfaces present on a Tier-0 Gateway that are not in use or inactive, this is a finding.
Remove unused interfaces by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces and GRE Tunnels", then click on the number of interfaces present to open the interfaces dialog. Select "Delete" on the unneeded interface, and then click "Delete" again to confirm.
From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway to view the DHCP configuration. If a DHCP profile is configured and not in use, this is a finding.
From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 Gateway. Click "Set DHCP Configuration", select "No Dynamic IP Address Allocation", and then click "Save". Close "Editing".
If the Tier-0 Gateway is not using OSPF, this is Not Applicable. To verify OSPF areas are using authentication with encryption, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the "Tier-0 Gateway". Expand "OSPF", click the number next to "Area Definition", and view the "Authentication" field for each area. If OSPF area definitions do not have the "Authentication" field set to "MD5" and a "Key ID" and "Password" configured, this is a finding.
To set authentication for OSPF area definitions, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand "OSPF", click the number next to "Area Definition". Select "Edit" on the target OSPF Area Definition. Change the Authentication drop-down to MD5, enter a Key ID and Password, and then click "Save". Note: The MD5 password can have a maximum of 16 characters.
From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand Tier-0 Gateway >> Interfaces and GRE Tunnels, and then click on the number of interfaces present to open the interfaces dialog. Expand each interface to view the URPF Mode configuration. If URPF Mode is not set to "Strict" on any interface, this is a finding.
Enable strict URPF mode on interfaces by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces and GRE Tunnels", click on the number of interfaces present to open the interfaces dialog, and then select "Edit" on the target interface. From the drop-down, set the URPF mode to "Strict" and then click "Save".
If the Tier-0 Gateway is not using BGP or OSPF, this is Not Applicable. Since the router does not reveal if a BGP password is configured, interview the router administrator to determine if a password is configured on BGP neighbors. If BGP neighbors do not have a password configured, this is a finding. To verify OSPF areas are using authentication, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway expand the "Tier-0 Gateway". Expand "OSPF", click the number next to "Area Definition", and view the "Authentication" field for each area. If OSPF area definitions do not have Password or MD5 set for authentication, this is a finding.
To set authentication for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to BGP Neighbors, click on the number present to open the dialog, then select "Edit" on the target BGP Neighbor. Under Timers & Password, enter a password up to 20 characters, and then click "Save". To set authentication for OSPF Area definitions, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand OSPF. Next to "Area Definition", click on the number present to open the dialog, and then select "Edit" on the target OSPF Area. Change the Authentication drop-down to Password or MD5, enter a Key ID and/or Password, and then click "Save".
If the Tier-0 Gateway is not using BGP, this is Not Applicable. Since the NSX Tier-0 Gateway does not reveal the current password, interview the router administrator to determine if unique passwords are being used. If unique passwords are not being used for each AS, this is a finding.
To set authentication for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to "BGP Neighbors", click on the number present to open the dialog, then select "Edit" on the target BGP Neighbor. Expand "BGP", click the number next to "BGP Neighbors". Select "Edit" on the target BGP neighbor. Under Timers & Password, enter a password up to 20 characters that is different from other autonomous systems, and then click "Save".
If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP unreachable messages. If a rule does not exist to drop ICMP unreachable messages, this is a finding.
To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first, if needed) and under "Services", select "ICMP Destination Unreachable" and "Apply". Enable logging and under the "Applied To" field select the target Tier-0 Gateways and click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement.
If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down menu. Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP mask replies. If a rule does not exist to drop ICMP mask replies, this is a finding.
To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first if needed). Under "Services", select the custom service that identifies ICMP mask replies, and then click "Apply". Enable logging, under the "Applied To" field select the target Tier-0 Gateways external interfaces, and then select "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement. Note: A pre-created service for ICMP mask replies does not exist by default and may need created.
If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down menu. Review each Tier-0 Gateway Firewalls rules to verify one exists to drop ICMP redirects. If a rule does not exist to drop ICMP redirects, this is a finding.
To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first if needed). Under "Services", select "ICMP Redirect", and then click "Apply". To enable logging, under the "Applied To" field, select the target Tier-0 Gateways external interfaces, and then click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement.
If the Tier-0 Gateway is not using BGP, this is Not Applicable. From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway with BGP enabled, expand the Tier-0 Gateway. Expand BGP, click on the number next to "BGP Neighbors", and then view the router filters for each neighbor. If "Maximum Routes" is not configured, or a route filter does not exist for each BGP neighbor, this is a finding.
To set maximum prefixes for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand BGP. Next to "BGP Neighbors", click on the number present to open the dialog, and then select "Edit" on the target BGP Neighbor. Click "Router Filter", add or edit an existing router filter, enter a number for "Maximum Routes", and then click "Add". Click "Apply", then click "Save" to finish the configuration.
If the Tier-0 Gateway is not using iBGP, this is Not Applicable. From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway with BGP enabled, expand the Tier-0 Gateway. Expand BGP, click on the number next to BGP Neighbors, then view the source address for each neighbor. If the Source Address is not configured as the Tier-0 Gateway loopback address for the iBGP session, this is a finding.
To configure a loopback interface, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand interfaces and click "Add Interface". Enter a name, select "Loopback" as the Type, enter an IP address, select an Edge Node for the interface, then click "Save". Note: More than one loopback may need to be configured depending on the routing architecture. To set the source address for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways >> expand the target Tier-0 gateway. Expand BGP >> next to BGP Neighbors, click on the number present to open the dialog >> select "Edit" on the target BGP Neighbor. Under Source Addresses, configure the source address with the loopback address and click "Save".
If IPv6 forwarding is not enabled, this is Not Applicable. From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand Tier-0 Gateway >>Additional Settings. Click on the ND profile name to view the hop limit. If the hop limit is not configured to at least 32, this is a finding.
To configure the Neighbor Discovery hop limit, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways >> edit the target Tier-0 gateway. Expand Additional Settings and select an "ND Profile" from the drop down with a hop limit of 32 or more, then click "Close Editing". Note: The default ND profile has a hop limit of 64 and cannot be edited. If required, create a new or edit another existing ND profile to use.
From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway to view if border gateway protocol (BGP) or Open Shortest Path First (OSPF) is enabled. If BGP and/or OSPF is enabled and not in use, this is a finding.
If not used in the implementation, then disable BGP, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 Gateway. Expand BGP, change from "On" to "Off", and then click "Save". If not used in the implementation, then disable OSPF, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 Gateway. Expand OSPF, change from "Enabled" to "Disabled", and then click "Save".
From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway, then expand "Multicast" to view the multicast configuration. If multicast is enabled and not in use, this is a finding.
If not used, disable Multicast by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 Gateway. Expand Multicast, change from "Enabled" to "Disabled", and then click "Save".
If the Tier-0 Gateway is not using BGP, this is Not Applicable. To verify BGP neighbors are using authentication with encryption, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the "Tier-0 Gateway". Expand "BGP", click the number next to "BGP Neighbors" and expand each BGP neighbor. Expand the "Timers and Password" section and review the Password field. If any BGP neighbors do not have a password configured, this is a finding.
To set authentication for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to "BGP Neighbors", click on the number present to open the dialog, then select "Edit" on the target BGP Neighbor. Expand "BGP", click the number next to "BGP Neighbors". Select "Edit" on the target BGP neighbor. Under Timers & Password, enter a password up to 20 characters, and then click "Save".