VMware NSX 4.x Tier-0 Gateway Router Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2024-07-26
  • Released: 2024-08-07
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The NSX Tier-0 Gateway router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
AC-4 - High - CCI-001414 - V-263298 - SV-263298r979591_rule
RMF Control
AC-4
Severity
High
CCI
CCI-001414
Version
NT0R-4X-000013
Vuln IDs
  • V-263298
Rule IDs
  • SV-263298r979591_rule
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security. A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. As stated in the DOD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces." Therefore, it is imperative that the network engineers have documented their multicast topology and thereby knows which interfaces are enabled for multicast. Once this is done, the zones can be scoped as required.
Checks: C-67198r979591_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway >> Interfaces and GRE Tunnels, and click on the number of interfaces present to open the interfaces dialog. Expand each interface that is not required to support multicast routing, then expand "Multicast" and verify PIM is disabled. If PIM is enabled on any interfaces that are not supporting multicast routing, this is a finding.

Fix: F-67106r977660_fix

Disable multicast PIM routing on interfaces that are not required to support multicast by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces and GRE Tunnels", click on the number of interfaces present to open the interfaces dialog, and then select "Edit" on the target interface. Expand "Multicast", change PIM to "disabled", and then click "Save".

c
The NSX Tier-0 Gateway router must be configured to have all inactive interfaces removed.
AC-4 - High - CCI-001414 - V-263299 - SV-263299r977664_rule
RMF Control
AC-4
Severity
High
CCI
CCI-001414
Version
NT0R-4X-000016
Vuln IDs
  • V-263299
Rule IDs
  • SV-263299r977664_rule
An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. Unauthorized personnel with access to the communication facility could gain access to a router by connecting to a configured interface that is not in use. If an interface is no longer used, the configuration must be deleted and the interface disabled. For sub-interfaces, delete sub-interfaces that are on inactive interfaces and delete sub-interfaces that are themselves inactive. If the sub-interface is no longer necessary for authorized communications, it must be deleted.
Checks: C-67199r977662_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway >> Interfaces and GRE Tunnels, and click on the number of interfaces present to open the interfaces dialog. Review each interface present to determine if they are not in use or inactive. If there are any interfaces present on a Tier-0 Gateway that are not in use or inactive, this is a finding.

Fix: F-67107r977663_fix

Remove unused interfaces by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces and GRE Tunnels", then click on the number of interfaces present to open the interfaces dialog. Select "Delete" on the unneeded interface, and then click "Delete" again to confirm.

a
The NSX Tier-0 Gateway router must be configured to have the Dynamic Host Configuration Protocol (DHCP) service disabled if not in use.
CM-7 - Info - CCI-000381 - V-263300 - SV-263300r977667_rule
RMF Control
CM-7
Severity
Info
CCI
CCI-000381
Version
NT0R-4X-000027
Vuln IDs
  • V-263300
Rule IDs
  • SV-263300r977667_rule
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.
Checks: C-67200r977665_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway to view the DHCP configuration. If a DHCP profile is configured and not in use, this is a finding.

Fix: F-67108r977666_fix

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 Gateway. Click "Set DHCP Configuration", select "No Dynamic IP Address Allocation", and then click "Save". Close "Editing".

c
The NSX Tier-0 Gateway router must be configured to use encryption for Open Shortest Path First (OSPF) routing protocol authentication.
IA-7 - High - CCI-000803 - V-263301 - SV-263301r977670_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
NT0R-4X-000029
Vuln IDs
  • V-263301
Rule IDs
  • SV-263301r977670_rule
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, Enhanced Interior Gateway Routing Protocol [EIGRP], and Intermediate System to Intermediate System [IS-IS]) and exterior gateway protocols (such as Border Gateway Protocol [BGP]), multiprotocol label switching (MPLS)-related protocols (such as Label Distribution Protocol [LDP]), and multicast-related protocols. Typically routing protocols must be setup on both sides so knowing the authentication key does not necessarily mean an attacker would be able to setup a rogue router and peer with a legitimate one and inject malicious routes.
Checks: C-67201r977668_chk

If the Tier-0 Gateway is not using OSPF, this is Not Applicable. To verify OSPF areas are using authentication with encryption, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the "Tier-0 Gateway". Expand "OSPF", click the number next to "Area Definition", and view the "Authentication" field for each area. If OSPF area definitions do not have the "Authentication" field set to "MD5" and a "Key ID" and "Password" configured, this is a finding.

Fix: F-67109r977669_fix

To set authentication for OSPF area definitions, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand "OSPF", click the number next to "Area Definition". Select "Edit" on the target OSPF Area Definition. Change the Authentication drop-down to MD5, enter a Key ID and Password, and then click "Save". Note: The MD5 password can have a maximum of 16 characters.

c
The NSX Tier-0 Gateway router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF).
SC-5 - High - CCI-001094 - V-263302 - SV-263302r977673_rule
RMF Control
SC-5
Severity
High
CCI
CCI-001094
Version
NT0R-4X-000051
Vuln IDs
  • V-263302
Rule IDs
  • SV-263302r977673_rule
A compromised host in an enclave can be used by a malicious platform to launch cyber attacks on third parties. This is a common practice in "botnets", which are a collection of compromised computers using malware to attack other computers or networks. Distributed denial-of-service (DDoS) attacks frequently leverage IP source address spoofing to send packets to multiple hosts that in turn will then send return traffic to the hosts with the IP addresses that were forged. This can generate significant amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet; thereby mitigating IP source address spoofing.
Checks: C-67202r977671_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand Tier-0 Gateway >> Interfaces and GRE Tunnels, and then click on the number of interfaces present to open the interfaces dialog. Expand each interface to view the URPF Mode configuration. If URPF Mode is not set to "Strict" on any interface, this is a finding.

Fix: F-67110r977672_fix

Enable strict URPF mode on interfaces by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces and GRE Tunnels", click on the number of interfaces present to open the interfaces dialog, and then select "Edit" on the target interface. From the drop-down, set the URPF mode to "Strict" and then click "Save".

c
The NSX Tier-0 Gateway router must be configured to implement message authentication for all control plane protocols.
CM-6 - High - CCI-000366 - V-263303 - SV-263303r979592_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
NT0R-4X-000054
Vuln IDs
  • V-263303
Rule IDs
  • SV-263303r979592_rule
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information. This includes Border Gateway Protocol (BGP), Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Intermediate System to Intermediate System (IS-IS) and Label Distribution Protocol (LDP).
Checks: C-67203r977674_chk

If the Tier-0 Gateway is not using BGP or OSPF, this is Not Applicable. Since the router does not reveal if a BGP password is configured, interview the router administrator to determine if a password is configured on BGP neighbors. If BGP neighbors do not have a password configured, this is a finding. To verify OSPF areas are using authentication, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway expand the "Tier-0 Gateway". Expand "OSPF", click the number next to "Area Definition", and view the "Authentication" field for each area. If OSPF area definitions do not have Password or MD5 set for authentication, this is a finding.

Fix: F-67111r977675_fix

To set authentication for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to BGP Neighbors, click on the number present to open the dialog, then select "Edit" on the target BGP Neighbor. Under Timers & Password, enter a password up to 20 characters, and then click "Save". To set authentication for OSPF Area definitions, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand OSPF. Next to "Area Definition", click on the number present to open the dialog, and then select "Edit" on the target OSPF Area. Change the Authentication drop-down to Password or MD5, enter a Key ID and/or Password, and then click "Save".

b
The NSX Tier-0 Gateway must be configured to use a unique password for each autonomous system (AS) with which it peers.
AC-4 - Medium - CCI-002205 - V-263304 - SV-263304r977679_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002205
Version
NT0R-4X-000055
Vuln IDs
  • V-263304
Rule IDs
  • SV-263304r977679_rule
If the same keys are used between External Border Gateway Protocol (eBGP) neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors.
Checks: C-67204r977677_chk

If the Tier-0 Gateway is not using BGP, this is Not Applicable. Since the NSX Tier-0 Gateway does not reveal the current password, interview the router administrator to determine if unique passwords are being used. If unique passwords are not being used for each AS, this is a finding.

Fix: F-67112r977678_fix

To set authentication for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to "BGP Neighbors", click on the number present to open the dialog, then select "Edit" on the target BGP Neighbor. Expand "BGP", click the number next to "BGP Neighbors". Select "Edit" on the target BGP neighbor. Under Timers & Password, enter a password up to 20 characters that is different from other autonomous systems, and then click "Save".

b
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
SC-5 - Medium - CCI-002385 - V-263305 - SV-263305r977682_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
NT0R-4X-000064
Vuln IDs
  • V-263305
Rule IDs
  • SV-263305r977682_rule
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.
Checks: C-67205r977680_chk

If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP unreachable messages. If a rule does not exist to drop ICMP unreachable messages, this is a finding.

Fix: F-67113r977681_fix

To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first, if needed) and under "Services", select "ICMP Destination Unreachable" and "Apply". Enable logging and under the "Applied To" field select the target Tier-0 Gateways and click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement.

b
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
SC-5 - Medium - CCI-002385 - V-263306 - SV-263306r977685_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
NT0R-4X-000065
Vuln IDs
  • V-263306
Rule IDs
  • SV-263306r977685_rule
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.
Checks: C-67206r977683_chk

If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down menu. Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP mask replies. If a rule does not exist to drop ICMP mask replies, this is a finding.

Fix: F-67114r977684_fix

To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first if needed). Under "Services", select the custom service that identifies ICMP mask replies, and then click "Apply". Enable logging, under the "Applied To" field select the target Tier-0 Gateways external interfaces, and then select "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement. Note: A pre-created service for ICMP mask replies does not exist by default and may need created.

b
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
SC-5 - Medium - CCI-002385 - V-263307 - SV-263307r977688_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
NT0R-4X-000066
Vuln IDs
  • V-263307
Rule IDs
  • SV-263307r977688_rule
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Redirect ICMP messages are commonly used by attackers for network mapping and diagnosis.
Checks: C-67207r977686_chk

If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down menu. Review each Tier-0 Gateway Firewalls rules to verify one exists to drop ICMP redirects. If a rule does not exist to drop ICMP redirects, this is a finding.

Fix: F-67115r977687_fix

To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first if needed). Under "Services", select "ICMP Redirect", and then click "Apply". To enable logging, under the "Applied To" field, select the target Tier-0 Gateways external interfaces, and then click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement.

b
The NSX Tier-0 Gateway router must be configured to use the Border Gateway Protocol (BGP) maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
SC-5 - Medium - CCI-002385 - V-263308 - SV-263308r977691_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
NT0R-4X-000067
Vuln IDs
  • V-263308
Rule IDs
  • SV-263308r977691_rule
The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements. In 1997, misconfigured routers in the Florida Internet Exchange network (AS7007) de-aggregated every prefix in their routing table and started advertising the first /24 block of each of these prefixes as their own. Faced with this additional burden, the internal routers became overloaded and crashed repeatedly. This caused prefixes advertised by these routers to disappear from routing tables and reappear when the routers came back online. As the routers came back after crashing, they were flooded with the routing table information by their neighbors. The flood of information would again overwhelm the routers and cause them to crash. This process of route flapping served to destabilize not only the surrounding network but also the entire internet. Routers trying to reach those addresses would choose the smaller, more specific /24 blocks first. This caused backbone networks throughout North America and Europe to crash. Maximum prefix limits on peer connections combined with aggressive prefix-size filtering of customers' reachability advertisements will effectively mitigate the de-aggregation risk. BGP maximum prefix must be used on all eBGP routers to limit the number of prefixes that it should receive from a particular neighbor, whether customer or peering autonomous system (AS). Consider each neighbor and how many routes they should be advertising and set a threshold slightly higher than the number expected.
Checks: C-67208r977689_chk

If the Tier-0 Gateway is not using BGP, this is Not Applicable. From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway with BGP enabled, expand the Tier-0 Gateway. Expand BGP, click on the number next to "BGP Neighbors", and then view the router filters for each neighbor. If "Maximum Routes" is not configured, or a route filter does not exist for each BGP neighbor, this is a finding.

Fix: F-67116r977690_fix

To set maximum prefixes for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand BGP. Next to "BGP Neighbors", click on the number present to open the dialog, and then select "Edit" on the target BGP Neighbor. Click "Router Filter", add or edit an existing router filter, enter a number for "Maximum Routes", and then click "Add". Click "Apply", then click "Save" to finish the configuration.

a
The NSX Tier-0 Gateway router must be configured to use its loopback address as the source address for Internal Border Gateway Protocol (IBGP) peering sessions.
CM-6 - Info - CCI-000366 - V-263309 - SV-263309r977694_rule
RMF Control
CM-6
Severity
Info
CCI
CCI-000366
Version
NT0R-4X-000091
Vuln IDs
  • V-263309
Rule IDs
  • SV-263309r977694_rule
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of the Border Gateway Protocol (BGP) routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the numerous physical interface addresses. The routers within the iBGP domain should also use loopback addresses as the source address when establishing BGP sessions.
Checks: C-67209r977692_chk

If the Tier-0 Gateway is not using iBGP, this is Not Applicable. From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway with BGP enabled, expand the Tier-0 Gateway. Expand BGP, click on the number next to BGP Neighbors, then view the source address for each neighbor. If the Source Address is not configured as the Tier-0 Gateway loopback address for the iBGP session, this is a finding.

Fix: F-67117r977693_fix

To configure a loopback interface, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand interfaces and click "Add Interface". Enter a name, select "Loopback" as the Type, enter an IP address, select an Edge Node for the interface, then click "Save". Note: More than one loopback may need to be configured depending on the routing architecture. To set the source address for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways >> expand the target Tier-0 gateway. Expand BGP >> next to BGP Neighbors, click on the number present to open the dialog >> select "Edit" on the target BGP Neighbor. Under Source Addresses, configure the source address with the loopback address and click "Save".

a
The NSX Tier-0 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
CM-6 - Info - CCI-000366 - V-263310 - SV-263310r977697_rule
RMF Control
CM-6
Severity
Info
CCI
CCI-000366
Version
NT0R-4X-000102
Vuln IDs
  • V-263310
Rule IDs
  • SV-263310r977697_rule
The Neighbor Discovery (ND) protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.
Checks: C-67210r977695_chk

If IPv6 forwarding is not enabled, this is Not Applicable. From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand Tier-0 Gateway >>Additional Settings. Click on the ND profile name to view the hop limit. If the hop limit is not configured to at least 32, this is a finding.

Fix: F-67118r977696_fix

To configure the Neighbor Discovery hop limit, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways >> edit the target Tier-0 gateway. Expand Additional Settings and select an "ND Profile" from the drop down with a hop limit of 32 or more, then click "Close Editing". Note: The default ND profile has a hop limit of 64 and cannot be edited. If required, create a new or edit another existing ND profile to use.

a
The NSX Tier-0 Gateway router must be configured to have routing protocols disabled if not in use.
CM-7 - Info - CCI-000381 - V-263311 - SV-263311r977700_rule
RMF Control
CM-7
Severity
Info
CCI
CCI-000381
Version
NT0R-4X-000106
Vuln IDs
  • V-263311
Rule IDs
  • SV-263311r977700_rule
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.
Checks: C-67211r977698_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway to view if border gateway protocol (BGP) or Open Shortest Path First (OSPF) is enabled. If BGP and/or OSPF is enabled and not in use, this is a finding.

Fix: F-67119r977699_fix

If not used in the implementation, then disable BGP, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 Gateway. Expand BGP, change from "On" to "Off", and then click "Save". If not used in the implementation, then disable OSPF, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 Gateway. Expand OSPF, change from "Enabled" to "Disabled", and then click "Save".

a
The NSX Tier-0 Gateway router must be configured to have multicast disabled if not in use.
CM-7 - Info - CCI-000381 - V-263312 - SV-263312r977703_rule
RMF Control
CM-7
Severity
Info
CCI
CCI-000381
Version
NT0R-4X-000107
Vuln IDs
  • V-263312
Rule IDs
  • SV-263312r977703_rule
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.
Checks: C-67212r977701_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway, then expand "Multicast" to view the multicast configuration. If multicast is enabled and not in use, this is a finding.

Fix: F-67120r977702_fix

If not used, disable Multicast by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 Gateway. Expand Multicast, change from "Enabled" to "Disabled", and then click "Save".

c
The NSX Tier-0 Gateway router must be configured to use encryption for border gateway protocol (BGP) routing protocol authentication.
CM-6 - High - CCI-000366 - V-263313 - SV-263313r977706_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
NT0R-4X-000108
Vuln IDs
  • V-263313
Rule IDs
  • SV-263313r977706_rule
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as Open Shortest Path First [OSPF], Enhanced Interior Gateway Routing Protocol [EIGRP], and Intermediate System to Intermediate System [IS-IS]) and Exterior Gateway Protocols (such as BGP), multiprotocol label switching (MPLS)-related protocols (such as Label Distribution Protocol [LDP]), and multicast-related protocols.
Checks: C-67213r977704_chk

If the Tier-0 Gateway is not using BGP, this is Not Applicable. To verify BGP neighbors are using authentication with encryption, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the "Tier-0 Gateway". Expand "BGP", click the number next to "BGP Neighbors" and expand each BGP neighbor. Expand the "Timers and Password" section and review the Password field. If any BGP neighbors do not have a password configured, this is a finding.

Fix: F-67121r977705_fix

To set authentication for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to "BGP Neighbors", click on the number present to open the dialog, then select "Edit" on the target BGP Neighbor. Expand "BGP", click the number next to "BGP Neighbors". Select "Edit" on the target BGP neighbor. Under Timers & Password, enter a password up to 20 characters, and then click "Save".