Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

VMware NSX 4.x Tier-1 Gateway Router Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2024-07-29
  • Released: 2024-08-07
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The NSX Tier-1 Gateway router must be configured to have all inactive interfaces removed.
AC-4 - High - CCI-001414 - V-263423 - SV-263423r978036_rule
RMF Control
AC-4
Severity
High
CCI
CCI-001414
Version
NT1R-4X-000016
Vuln IDs
  • V-263423
Rule IDs
  • SV-263423r978036_rule
An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. Unauthorized personnel with access to the communication facility could gain access to a router by connecting to a configured interface that is not in use. If an interface is no longer used, the configuration must be deleted and the interface disabled. For sub-interfaces, delete sub-interfaces that are on inactive interfaces and delete sub-interfaces that are themselves inactive. If the sub-interface is no longer necessary for authorized communications, it must be deleted.
Checks: C-67323r978034_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways. For every Tier-1 Gateway, expand the Tier-1 Gateway. Click on the number in the Linked Segments to review the currently linked segments. For every Tier-1 Gateway, expand the Tier-1 Gateway. Expand Interfaces and GRE Tunnels, and click on the number of interfaces present to open the interfaces dialog. Review each interface or linked segment present to determine if they are not in use or inactive. If there are any linked segments or service interfaces present on a Tier-1 Gateway that are not in use or inactive, this is a finding.

Fix: F-67231r978035_fix

To remove a stale linked segment from a Tier-1 Gateway, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Segments and edit the target segment. Under Connected Gateway, change to "None" and click "Save". Note: The stale linked segment can also be deleted if there are no active workloads attached to it. To remove a stale service interface from a Tier-1 Gateway, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways >> Edit the target Tier-1 Gateway. Expand "Interfaces and GRE Tunnels", then click on the number of interfaces present to open the interfaces dialog. On the stale service interface, select "Delete" and click "Delete" again to confirm.

a
The NSX Tier-1 Gateway router must be configured to have the DHCP service disabled if not in use.
CM-7 - Info - CCI-000381 - V-263424 - SV-263424r978039_rule
RMF Control
CM-7
Severity
Info
CCI
CCI-000381
Version
NT1R-4X-000027
Vuln IDs
  • V-263424
Rule IDs
  • SV-263424r978039_rule
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.
Checks: C-67324r978037_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways. For every Tier-1 Gateway expand the Tier-1 Gateway to view the DHCP configuration. If a DHCP profile is configured and not in use, this is a finding.

Fix: F-67232r978038_fix

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways and edit the target Tier-1 Gateway. Click "Set DHCP Configuration", select "No Dynamic IP Address Allocation", click "Save", and then close "Editing".

a
The NSX Tier-1 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
CM-6 - Info - CCI-000366 - V-263425 - SV-263425r978042_rule
RMF Control
CM-6
Severity
Info
CCI
CCI-000366
Version
NT1R-4X-000102
Vuln IDs
  • V-263425
Rule IDs
  • SV-263425r978042_rule
The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.
Checks: C-67325r978040_chk

If IPv6 forwarding is not enabled, this is Not Applicable. From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways. For every Tier-1 Gateway, expand Tier-1 Gateway >>Additional Settings. Click on the ND profile name to view the hop limit. If the hop limit is not configured to at least 32, this is a finding.

Fix: F-67233r978041_fix

To configure the Neighbor Discovery hop limit, do the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways >> edit the target Tier-1 gateway. Expand Additional Settings and select an "ND Profile" from the drop down with a hop limit of 32 or more, then click "Close Editing". Note: The default ND profile has a hop limit of 64 and cannot be edited. If required, create a new or edit another existing ND profile to use.

a
The NSX Tier-1 Gateway router must be configured to have multicast disabled if not in use.
CM-7 - Info - CCI-000381 - V-263426 - SV-263426r978045_rule
RMF Control
CM-7
Severity
Info
CCI
CCI-000381
Version
NT1R-4X-000107
Vuln IDs
  • V-263426
Rule IDs
  • SV-263426r978045_rule
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.
Checks: C-67326r978043_chk

From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways. For every Tier-1 Gateway, expand the Tier-1 Gateway then expand Multicast to view the Multicast configuration. If Multicast is enabled and not in use, this is a finding. If a Tier-1 Gateway is not linked to a Tier-0 Gateway, this is Not Applicable.

Fix: F-67234r978044_fix

If not used, disable Multicast by doing the following: From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways and edit the target Tier-1 Gateway. Expand Multicast and change from "Enabled" to "Disabled" and then click "Save".