Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

VMware NSX 4.x Tier-0 Gateway Router Security Technical Implementation Guide

V1R2 · · · Released 30 Jan 2025 · 16 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R1 · 07 Aug 2024 +16 −16

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 16

  • V-265390 High The NSX Tier-0 Gateway router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
  • V-265393 High The NSX Tier-0 Gateway router must be configured to have all inactive interfaces removed.
  • V-265404 Low The NSX Tier-0 Gateway router must be configured to have the Dynamic Host Configuration Protocol (DHCP) service disabled if not in use.
  • V-265406 High The NSX Tier-0 Gateway router must be configured to use encryption for Open Shortest Path First (OSPF) routing protocol authentication.
  • V-265428 High The NSX Tier-0 Gateway router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF).
  • V-265431 High The NSX Tier-0 Gateway router must be configured to implement message authentication for all control plane protocols.
  • V-265432 Medium The NSX Tier-0 Gateway must be configured to use a unique password for each autonomous system (AS) with which it peers.
  • V-265441 Medium The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
  • V-265442 Medium The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
  • V-265443 Medium The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
  • V-265444 Medium The NSX Tier-0 Gateway router must be configured to use the Border Gateway Protocol (BGP) maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
  • V-265468 Low The NSX Tier-0 Gateway router must be configured to use its loopback address as the source address for Internal Border Gateway Protocol (IBGP) peering sessions.
  • V-265479 Low The NSX Tier-0 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
  • V-265483 Low The NSX Tier-0 Gateway router must be configured to have routing protocols disabled if not in use.
  • V-265484 Low The NSX Tier-0 Gateway router must be configured to have multicast disabled if not in use.
  • V-265485 High The NSX Tier-0 Gateway router must be configured to use encryption for border gateway protocol (BGP) routing protocol authentication.

Removed rules 16

  • V-263298 High The NSX Tier-0 Gateway router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
  • V-263299 High The NSX Tier-0 Gateway router must be configured to have all inactive interfaces removed.
  • V-263300 Info The NSX Tier-0 Gateway router must be configured to have the Dynamic Host Configuration Protocol (DHCP) service disabled if not in use.
  • V-263301 High The NSX Tier-0 Gateway router must be configured to use encryption for Open Shortest Path First (OSPF) routing protocol authentication.
  • V-263302 High The NSX Tier-0 Gateway router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF).
  • V-263303 High The NSX Tier-0 Gateway router must be configured to implement message authentication for all control plane protocols.
  • V-263304 Medium The NSX Tier-0 Gateway must be configured to use a unique password for each autonomous system (AS) with which it peers.
  • V-263305 Medium The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
  • V-263306 Medium The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
  • V-263307 Medium The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
  • V-263308 Medium The NSX Tier-0 Gateway router must be configured to use the Border Gateway Protocol (BGP) maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
  • V-263309 Info The NSX Tier-0 Gateway router must be configured to use its loopback address as the source address for Internal Border Gateway Protocol (IBGP) peering sessions.
  • V-263310 Info The NSX Tier-0 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
  • V-263311 Info The NSX Tier-0 Gateway router must be configured to have routing protocols disabled if not in use.
  • V-263312 Info The NSX Tier-0 Gateway router must be configured to have multicast disabled if not in use.
  • V-263313 High The NSX Tier-0 Gateway router must be configured to use encryption for border gateway protocol (BGP) routing protocol authentication.
Sort by
c
The NSX Tier-0 Gateway router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
AC-4 - High - CCI-001414 - V-265390 - SV-265390r994520_rule
RMF Control
AC-4
Severity
H
CCI
CCI-001414
Version
NT0R-4X-000013
Vuln IDs
  • V-265390
Rule IDs
  • SV-265390r994520_rule
If multicast traffic is forwarded beyond the intended boundary, it could be intercepted by unauthorized or unintended personnel. Limiting where within the network a given multicast group's data is permitted to flow is an important first step in improving multicast security. A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. As stated in the DOD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces." Therefore, it is imperative that the network engineers have documented their multicast topology and thereby knows which interfaces are enabled for multicast. Once this is done, the zones can be scoped as required.
Checks: C-69307r994518_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway >> Interfaces and GRE Tunnels, and click on the number of interfaces present to open the interfaces dialog. Expand each interface that is not required to support multicast routing, then expand "Multicast" and verify PIM is disabled. If PIM is enabled on any interfaces that are not supporting multicast routing, this is a finding.

Fix: F-69215r994519_fix

Disable multicast PIM routing on interfaces that are not required to support multicast by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces and GRE Tunnels", click on the number of interfaces present to open the interfaces dialog, and then select "Edit" on the target interface. Expand "Multicast", change PIM to "disabled", and then click "Save".

c
The NSX Tier-0 Gateway router must be configured to have all inactive interfaces removed.
AC-4 - High - CCI-001414 - V-265393 - SV-265393r994529_rule
RMF Control
AC-4
Severity
H
CCI
CCI-001414
Version
NT0R-4X-000016
Vuln IDs
  • V-265393
Rule IDs
  • SV-265393r994529_rule
An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. Unauthorized personnel with access to the communication facility could gain access to a router by connecting to a configured interface that is not in use. If an interface is no longer used, the configuration must be deleted and the interface disabled. For sub-interfaces, delete sub-interfaces that are on inactive interfaces and delete sub-interfaces that are themselves inactive. If the sub-interface is no longer necessary for authorized communications, it must be deleted.
Checks: C-69310r994527_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway >> Interfaces and GRE Tunnels, and click on the number of interfaces present to open the interfaces dialog. Review each interface present to determine if they are not in use or inactive. If there are any interfaces present on a Tier-0 Gateway that are not in use or inactive, this is a finding.

Fix: F-69218r994528_fix

Remove unused interfaces by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces and GRE Tunnels", then click on the number of interfaces present to open the interfaces dialog. Select "Delete" on the unneeded interface, and then click "Delete" again to confirm.

a
The NSX Tier-0 Gateway router must be configured to have the Dynamic Host Configuration Protocol (DHCP) service disabled if not in use.
CM-7 - Low - CCI-000381 - V-265404 - SV-265404r999914_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
NT0R-4X-000027
Vuln IDs
  • V-265404
Rule IDs
  • SV-265404r999914_rule
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.
Checks: C-69321r994560_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway to view the DHCP configuration. If a DHCP profile is configured and not in use, this is a finding.

Fix: F-69229r999914_fix

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 gateway. Click "Set DHCP Configuration", select "No Dynamic IP Address Allocation", and then click "Save". Close "Editing".

c
The NSX Tier-0 Gateway router must be configured to use encryption for Open Shortest Path First (OSPF) routing protocol authentication.
IA-7 - High - CCI-000803 - V-265406 - SV-265406r994568_rule
RMF Control
IA-7
Severity
H
CCI
CCI-000803
Version
NT0R-4X-000029
Vuln IDs
  • V-265406
Rule IDs
  • SV-265406r994568_rule
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, Enhanced Interior Gateway Routing Protocol [EIGRP], and Intermediate System to Intermediate System [IS-IS]) and exterior gateway protocols (such as Border Gateway Protocol [BGP]), multiprotocol label switching (MPLS)-related protocols (such as Label Distribution Protocol [LDP]), and multicast-related protocols. Typically routing protocols must be setup on both sides so knowing the authentication key does not necessarily mean an attacker would be able to setup a rogue router and peer with a legitimate one and inject malicious routes.
Checks: C-69323r994566_chk

If the Tier-0 Gateway is not using OSPF, this is Not Applicable. To verify OSPF areas are using authentication with encryption, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the "Tier-0 Gateway". Expand "OSPF", click the number next to "Area Definition", and view the "Authentication" field for each area. If OSPF area definitions do not have the "Authentication" field set to "MD5" and a "Key ID" and "Password" configured, this is a finding.

Fix: F-69231r994567_fix

To set authentication for OSPF area definitions, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand "OSPF", click the number next to "Area Definition". Select "Edit" on the target OSPF Area Definition. Change the Authentication drop-down to MD5, enter a Key ID and Password, and then click "Save". Note: The MD5 password can have a maximum of 16 characters.

c
The NSX Tier-0 Gateway router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF).
SC-5 - High - CCI-001094 - V-265428 - SV-265428r994634_rule
RMF Control
SC-5
Severity
H
CCI
CCI-001094
Version
NT0R-4X-000051
Vuln IDs
  • V-265428
Rule IDs
  • SV-265428r994634_rule
A malicious platform can use a compromised host in an enclave to launch cyberattacks on third parties. This is a common practice in "botnets", which are a collection of compromised computers using malware to attack other computers or networks. Distributed denial-of-service (DDoS) attacks frequently leverage IP source address spoofing to send packets to multiple hosts that in turn will send return traffic to the hosts with the IP addresses that were forged. This can generate significant amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet; thereby mitigating IP source address spoofing.
Checks: C-69345r994632_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand Tier-0 Gateway >> Interfaces and GRE Tunnels, and then click on the number of interfaces present to open the interfaces dialog. Expand each interface to view the URPF Mode configuration. If URPF Mode is not set to "Strict" on any interface, this is a finding.

Fix: F-69253r994633_fix

Enable strict URPF mode on interfaces by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand "Interfaces and GRE Tunnels", click on the number of interfaces present to open the interfaces dialog, and then select "Edit" on the target interface. From the drop-down, set the URPF mode to "Strict" and then click "Save".

c
The NSX Tier-0 Gateway router must be configured to implement message authentication for all control plane protocols.
CM-6 - High - CCI-000366 - V-265431 - SV-265431r994643_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
NT0R-4X-000054
Vuln IDs
  • V-265431
Rule IDs
  • SV-265431r994643_rule
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information. This includes Border Gateway Protocol (BGP), Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Intermediate System to Intermediate System (IS-IS) and Label Distribution Protocol (LDP). Satisfies: SRG-NET-000230-RTR-000001, SRG-NET-000230-RTR-000002
Checks: C-69348r994641_chk

If the Tier-0 Gateway is not using BGP or OSPF, this is Not Applicable. Since the router does not reveal if a BGP password is configured, interview the router administrator to determine if a password is configured on BGP neighbors. If BGP neighbors do not have a password configured, this is a finding. To verify OSPF areas are using authentication, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway expand the "Tier-0 Gateway". Expand "OSPF", click the number next to "Area Definition", and view the "Authentication" field for each area. If OSPF area definitions do not have Password or MD5 set for authentication, this is a finding.

Fix: F-69256r994642_fix

To set authentication for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to BGP Neighbors, click on the number present to open the dialog, then select "Edit" on the target BGP Neighbor. Under Timers & Password, enter a password up to 20 characters, and then click "Save". To set authentication for OSPF Area definitions, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand OSPF. Next to "Area Definition", click on the number present to open the dialog, and then select "Edit" on the target OSPF Area. Change the Authentication drop-down to Password or MD5, enter a Key ID and/or Password, and then click "Save".

b
The NSX Tier-0 Gateway must be configured to use a unique password for each autonomous system (AS) with which it peers.
AC-4 - Medium - CCI-002205 - V-265432 - SV-265432r994646_rule
RMF Control
AC-4
Severity
M
CCI
CCI-002205
Version
NT0R-4X-000055
Vuln IDs
  • V-265432
Rule IDs
  • SV-265432r994646_rule
If the same keys are used between External Border Gateway Protocol (eBGP) neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors.
Checks: C-69349r994644_chk

If the Tier-0 Gateway is not using BGP, this is Not Applicable. Since the NSX Tier-0 Gateway does not reveal the current password, interview the router administrator to determine if unique passwords are being used. If unique passwords are not being used for each AS, this is a finding.

Fix: F-69257r994645_fix

To set authentication for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to "BGP Neighbors", click on the number present to open the dialog, then select "Edit" on the target BGP Neighbor. Expand "BGP", click the number next to "BGP Neighbors". Select "Edit" on the target BGP neighbor. Under Timers & Password, enter a password up to 20 characters that is different from other autonomous systems, and then click "Save".

b
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
SC-5 - Medium - CCI-002385 - V-265441 - SV-265441r999915_rule
RMF Control
SC-5
Severity
M
CCI
CCI-002385
Version
NT0R-4X-000064
Vuln IDs
  • V-265441
Rule IDs
  • SV-265441r999915_rule
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.
Checks: C-69358r994671_chk

If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP unreachable messages. If a rule does not exist to drop ICMP unreachable messages, this is a finding.

Fix: F-69266r999915_fix

To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first, if needed) and under "Services", select "ICMP Destination Unreachable" and "Apply". Enable logging and under the "Applied To" field select the target Tier-0 gateways and click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement.

b
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
SC-5 - Medium - CCI-002385 - V-265442 - SV-265442r999916_rule
RMF Control
SC-5
Severity
M
CCI
CCI-002385
Version
NT0R-4X-000065
Vuln IDs
  • V-265442
Rule IDs
  • SV-265442r999916_rule
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.
Checks: C-69359r994674_chk

If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down menu. Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP mask replies. If a rule does not exist to drop ICMP mask replies, this is a finding.

Fix: F-69267r999916_fix

To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first if needed). Under "Services", select the custom service that identifies ICMP mask replies, and then click "Apply". Enable logging, under the "Applied To" field select the target Tier-0 gateways' external interfaces, and then select "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement. Note: A pre-created service for ICMP mask replies does not exist by default and may need created.

b
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
SC-5 - Medium - CCI-002385 - V-265443 - SV-265443r999917_rule
RMF Control
SC-5
Severity
M
CCI
CCI-002385
Version
NT0R-4X-000066
Vuln IDs
  • V-265443
Rule IDs
  • SV-265443r999917_rule
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Redirect ICMP messages are commonly used by attackers for network mapping and diagnosis.
Checks: C-69360r994677_chk

If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down menu. Review each Tier-0 Gateway Firewalls rules to verify one exists to drop ICMP redirects. If a rule does not exist to drop ICMP redirects, this is a finding.

Fix: F-69268r999917_fix

To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first if needed). Under "Services", select "ICMP Redirect", and then click "Apply". To enable logging, under the "Applied To" field, select the target Tier-0 gateways' external interfaces, and then click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement.

b
The NSX Tier-0 Gateway router must be configured to use the Border Gateway Protocol (BGP) maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
SC-5 - Medium - CCI-002385 - V-265444 - SV-265444r994682_rule
RMF Control
SC-5
Severity
M
CCI
CCI-002385
Version
NT0R-4X-000067
Vuln IDs
  • V-265444
Rule IDs
  • SV-265444r994682_rule
The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements. In 1997, misconfigured routers in the Florida Internet Exchange network (AS7007) de-aggregated every prefix in their routing table and started advertising the first /24 block of each of these prefixes as their own. Faced with this additional burden, the internal routers became overloaded and crashed repeatedly. This caused prefixes advertised by these routers to disappear from routing tables and reappear when the routers came back online. As the routers came back after crashing, they were flooded with the routing table information by their neighbors. The flood of information would again overwhelm the routers and cause them to crash. This process of route flapping served to destabilize not only the surrounding network but also the entire internet. Routers trying to reach those addresses would choose the smaller, more specific /24 blocks first. This caused backbone networks throughout North America and Europe to crash. Maximum prefix limits on peer connections combined with aggressive prefix-size filtering of customers' reachability advertisements will effectively mitigate the de-aggregation risk. BGP maximum prefix must be used on all eBGP routers to limit the number of prefixes that it should receive from a particular neighbor, whether customer or peering autonomous system (AS). Consider each neighbor and how many routes they should be advertising and set a threshold slightly higher than the number expected.
Checks: C-69361r994680_chk

If the Tier-0 Gateway is not using BGP, this is Not Applicable. From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway with BGP enabled, expand the Tier-0 Gateway. Expand BGP, click on the number next to "BGP Neighbors", and then view the router filters for each neighbor. If "Maximum Routes" is not configured, or a route filter does not exist for each BGP neighbor, this is a finding.

Fix: F-69269r994681_fix

To set maximum prefixes for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand BGP. Next to "BGP Neighbors", click on the number present to open the dialog, and then select "Edit" on the target BGP Neighbor. Click "Router Filter", add or edit an existing router filter, enter a number for "Maximum Routes", and then click "Add". Click "Apply", then click "Save" to finish the configuration.

a
The NSX Tier-0 Gateway router must be configured to use its loopback address as the source address for Internal Border Gateway Protocol (IBGP) peering sessions.
CM-6 - Low - CCI-000366 - V-265468 - SV-265468r994754_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
NT0R-4X-000091
Vuln IDs
  • V-265468
Rule IDs
  • SV-265468r994754_rule
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of the Border Gateway Protocol (BGP) routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the numerous physical interface addresses. The routers within the iBGP domain should also use loopback addresses as the source address when establishing BGP sessions.
Checks: C-69385r994752_chk

If the Tier-0 Gateway is not using iBGP, this is Not Applicable. From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway with BGP enabled, expand the Tier-0 Gateway. Expand BGP, click on the number next to BGP Neighbors, then view the source address for each neighbor. If the Source Address is not configured as the Tier-0 Gateway loopback address for the iBGP session, this is a finding.

Fix: F-69293r994753_fix

To configure a loopback interface, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and expand the target Tier-0 gateway. Expand interfaces and click "Add Interface". Enter a name, select "Loopback" as the Type, enter an IP address, select an Edge Node for the interface, then click "Save". Note: More than one loopback may need to be configured depending on the routing architecture. To set the source address for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways >> expand the target Tier-0 gateway. Expand BGP >> next to BGP Neighbors, click on the number present to open the dialog >> select "Edit" on the target BGP Neighbor. Under Source Addresses, configure the source address with the loopback address and click "Save".

a
The NSX Tier-0 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
CM-6 - Low - CCI-000366 - V-265479 - SV-265479r994787_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
NT0R-4X-000102
Vuln IDs
  • V-265479
Rule IDs
  • SV-265479r994787_rule
The Neighbor Discovery (ND) protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.
Checks: C-69396r994785_chk

If IPv6 forwarding is not enabled, this is Not Applicable. From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand Tier-0 Gateway >>Additional Settings. Click on the ND profile name to view the hop limit. If the hop limit is not configured to at least 32, this is a finding.

Fix: F-69304r994786_fix

To configure the Neighbor Discovery hop limit, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways >> edit the target Tier-0 gateway. Expand Additional Settings and select an "ND Profile" from the drop down with a hop limit of 32 or more, then click "Close Editing". Note: The default ND profile has a hop limit of 64 and cannot be edited. If required, create a new or edit another existing ND profile to use.

a
The NSX Tier-0 Gateway router must be configured to have routing protocols disabled if not in use.
CM-7 - Low - CCI-000381 - V-265483 - SV-265483r999918_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
NT0R-4X-000106
Vuln IDs
  • V-265483
Rule IDs
  • SV-265483r999918_rule
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.
Checks: C-69400r994797_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway to view if border gateway protocol (BGP) or Open Shortest Path First (OSPF) is enabled. If BGP and/or OSPF is enabled and not in use, this is a finding.

Fix: F-69308r999918_fix

If not used in the implementation, then disable BGP, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 gateway. Expand BGP, change from "On" to "Off", and then click "Save". If not used in the implementation, then disable OSPF, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 gateway. Expand OSPF, change from "Enabled" to "Disabled", and then click "Save".

a
The NSX Tier-0 Gateway router must be configured to have multicast disabled if not in use.
CM-7 - Low - CCI-000381 - V-265484 - SV-265484r999919_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
NT0R-4X-000107
Vuln IDs
  • V-265484
Rule IDs
  • SV-265484r999919_rule
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.
Checks: C-69401r994800_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the Tier-0 Gateway, then expand "Multicast" to view the multicast configuration. If multicast is enabled and not in use, this is a finding.

Fix: F-69309r999919_fix

If not used, disable Multicast by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways and edit the target Tier-0 gateway. Expand Multicast, change from "Enabled" to "Disabled", and then click "Save".

c
The NSX Tier-0 Gateway router must be configured to use encryption for border gateway protocol (BGP) routing protocol authentication.
CM-6 - High - CCI-000366 - V-265485 - SV-265485r994805_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
NT0R-4X-000108
Vuln IDs
  • V-265485
Rule IDs
  • SV-265485r994805_rule
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as Open Shortest Path First [OSPF], Enhanced Interior Gateway Routing Protocol [EIGRP], and Intermediate System to Intermediate System [IS-IS]) and Exterior Gateway Protocols (such as BGP), multiprotocol label switching (MPLS)-related protocols (such as Label Distribution Protocol [LDP]), and multicast-related protocols.
Checks: C-69402r994803_chk

If the Tier-0 Gateway is not using BGP, this is Not Applicable. To verify BGP neighbors are using authentication with encryption, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways. For every Tier-0 Gateway, expand the "Tier-0 Gateway". Expand "BGP", click the number next to "BGP Neighbors" and expand each BGP neighbor. Expand the "Timers and Password" section and review the Password field. If any BGP neighbors do not have a password configured, this is a finding.

Fix: F-69310r994804_fix

To set authentication for BGP neighbors, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-0 Gateways, and expand the target Tier-0 gateway. Expand BGP. Next to "BGP Neighbors", click on the number present to open the dialog, then select "Edit" on the target BGP Neighbor. Expand "BGP", click the number next to "BGP Neighbors". Select "Edit" on the target BGP neighbor. Under Timers & Password, enter a password up to 20 characters, and then click "Save".