VMware NSX Distributed Firewall Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2016-06-27
  • Released: 2016-06-27
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
The NSX Distributed Firewall must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
AC-3 - Medium - CCI-000213 - V-69137 - SV-83741r1_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VNSX-FW-000001
Vuln IDs
  • V-69137
Rule IDs
  • SV-83741r1_rule
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary.
Checks: C-69575r1_chk

Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective "Applied to" category is configured if appropriate. Log into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General. Expand rule sections as necessary to view rules. If there are no rules configured to enforce authorizations, this is a finding.

Fix: F-75323r1_fix

Log into vSphere Web Client with credentials authorized for administration. Remediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General Configure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies Ensure the rules have been enabled, and configure the respective "Applied to" category if appropriate.

b
The NSX Distributed Firewall must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
AC-4 - Medium - CCI-001368 - V-69139 - SV-83743r1_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
VNSX-FW-000002
Vuln IDs
  • V-69139
Rule IDs
  • SV-83743r1_rule
Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems. Examples of information flow control restrictions include keeping export controlled information from being transmitted in the clear to the Internet or blocking information marked as classified but is being transported to an unapproved destination. ALGs enforce approved authorizations by employing security policy and/or rules that restrict information system services, provide packet filtering capability based on header or protocol information and/or message filtering capability based on data content (e.g., implementing key word searches or using document characteristics).
Checks: C-69577r1_chk

Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective "Applied to" category is configured if appropriate. Log into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General. Expand rule sections as necessary to view rules. If there are no rules configured to enforce authorizations, this is a finding.

Fix: F-75325r1_fix

Log into vSphere Web Client with credentials authorized for administration. Remediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General Configure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies Ensure the rules have been enabled, and configure the respective "Applied to" category if appropriate.

b
The NSX Distributed Firewall must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
AC-4 - Medium - CCI-001414 - V-69141 - SV-83745r1_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001414
Version
VNSX-FW-000003
Vuln IDs
  • V-69141
Rule IDs
  • SV-83745r1_rule
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic. This requirement applies to the flow of information between the ALG when used as a gateway or boundary device which allows traffic flow between interconnected networks of differing security policies. The ALG is installed and configured such that it restricts or blocks information flows based on guidance in the PPSM regarding restrictions for boundary crossing for ports, protocols and services. Information flow restrictions may be implemented based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. The ALG must be configured with policy filters (e.g., security policy, rules, and/or signatures) that restrict or block information system services; provide a packet-filtering capability based on header information; and/or perform message-filtering based on message content. The policy filters used depends upon the type of application gateway (e.g., web, email, or TLS).
Checks: C-69579r1_chk

Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective "Applied to" category is configured if appropriate. Log into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General. Expand rule sections as necessary to view rules. If there are no rules configured to enforce authorizations, this is a finding.

Fix: F-75327r1_fix

Log into vSphere Web Client with credentials authorized for administration. Remediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General Configure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies Ensure the rules have been enabled, and configure the respective "Applied to" category if appropriate.

b
The NSX Distributed Firewall must not have unnecessary services and functions enabled.
CM-7 - Medium - CCI-000381 - V-69143 - SV-83747r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VNSX-FW-000034
Vuln IDs
  • V-69143
Rule IDs
  • SV-83747r1_rule
Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the ALG. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The primary function of an ALG is to provide application specific content filtering and/or proxy services. The ALG application suite may integrate related content filtering and analysis services and tools (e.g., IPS, proxy, malware inspection, black/white lists). Some gateways may also include email scanning, decryption, caching, and DLP services. However, services and capabilities which are unrelated to this primary functionality must not be installed (e.g., DNS, email client or server, FTP server, or web server). Next Generation ALGs (NGFW) and Unified Threat Management (UTM) ALGs integrate functions which have been traditionally separated. These products integrate content filtering features to provide more granular policy filtering. There may be operational drawbacks to combining these services into one device. Another issue is that NGFW and UTM products vary greatly with no current definitive industry standard.
Checks: C-69581r1_chk

Verify no unwanted services are enabled. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> Partner Security Services. Verify that any unwanted services are disabled. If there are services that should not be enabled, this is a finding.

Fix: F-75329r1_fix

Configure Partner Security Services to the disabled state. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> Partner Security Services >> Select the partner security service. Hover over the "No." column Click the pencil icon Disable it

b
The NSX Distributed Firewall must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
CM-7 - Medium - CCI-000382 - V-69145 - SV-83749r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VNSX-FW-000036
Vuln IDs
  • V-69145
Rule IDs
  • SV-83749r1_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.
Checks: C-69583r1_chk

View the configuration and vendor documentation of the ALG application to find the minimum ports, protocols, and services which are required for operation of the ALG. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> General Verify the NSX Distributed Firewall policy restricts the use of ports, protocols, and/or services with the Ports, Protocol, and Service Management (PPSM) and IAVM requirements. If ports, protocols, and/or services are not disabled or restricted as required by the PPSM, this is a finding.

Fix: F-75331r1_fix

Disable ports, protocols, and/or services not required for operation of the ALG application. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> General >> Click on Green check in the number column to disable an individual distributed firewall rule >> Publish Changes. Once configuration is saved successfully verify the check is greyed out.

b
The NSX Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
SC-7 - Medium - CCI-001109 - V-69147 - SV-83751r1_rule
RMF Control
SC-7
Severity
Medium
CCI
CCI-001109
Version
VNSX-FW-000046
Vuln IDs
  • V-69147
Rule IDs
  • SV-83751r1_rule
A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. As a managed interface, the ALG must block all inbound and outbound network communications traffic to the application being managed and controlled unless a policy filter is installed to explicitly allow the traffic. The allow policy filters must comply with the site's security policy. A deny all, permit by exception network communications traffic policy ensures that only those connections which are essential and approved, are allowed. This requirement applies to both inbound and outbound network communications traffic. All inbound and outbound traffic for which the ALG is acting as an intermediary or proxy must be denied by default.
Checks: C-69585r1_chk

Verify denied by default policy. Log into the vCenter web interface with credentials authorized for administration, navigate to Networking and Security >> Firewall Expand "Default Section Layer 3" in Configuration If the action for the Default Rule is "Allow", this is a finding.

Fix: F-75333r1_fix

Configure the "Default Rule" to deny by default with "Block". Log into the vCenter web interface with credentials authorized for administration, navigate to Networking and Security >> Firewall Expand "Default Section Layer 3" in Configuration Expand the Action for the rule named "Default Rule" Change the action to "Block" Select "OK" Select "Publish Changes"

b
The NSX Distributed Firewall must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity.
SC-10 - Medium - CCI-001133 - V-69149 - SV-83753r1_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
VNSX-FW-000047
Vuln IDs
  • V-69149
Rule IDs
  • SV-83753r1_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system level network connection. ALGs may provide session control functionality as part of content filtering, load balancing, or proxy services.
Checks: C-69587r1_chk

Verify the vSphere Web Client sessions terminate after "10" minutes of idle time, requiring the user to log in again to resume using the client. You can view the timeout value by viewing the webclient.properties file. On the system where vCenter is installed locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Find the session.timeout = line in the webclient.properties file. If the session timeout is not set to "10" in the webclient.properties file, this is a finding.

Fix: F-75335r1_fix

Change the timeout value by editing the webclient.properties file. On the system where vCenter is installed locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Edit the file to include the line "session.timeout = 10" where "10" is the timeout value in minutes. Uncomment the line if necessary. After editing the file the vSphere Web Client service must be restarted.

b
The NSX Distributed Firewall must off-load audit records onto a centralized log server.
AU-4 - Medium - CCI-001851 - V-69151 - SV-83755r1_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VNSX-FW-000090
Vuln IDs
  • V-69151
Rule IDs
  • SV-83755r1_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. This does not apply to audit logs generated on behalf of the device itself (management).
Checks: C-69589r1_chk

Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click "Manage" >> "Advanced System Settings", and enter "Syslog.global.logHost" in the filter. Verify the correct setting for "Syslog.global.logHost" to the hostname of your syslog server. If this setting does not specify the appropriate syslog server on each ESXi host, this is a finding.

Fix: F-75337r2_fix

Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click "Manage" >> "Advanced System Settings", and enter "Syslog.global.logHost" in the filter. Verify the correct setting for "Syslog.global.logHost" to the hostname of your syslog server. Verify each ESXi host is set to a remote syslog server.

b
The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to access security objects occur.
AU-12 - Medium - CCI-000172 - V-69153 - SV-83757r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VNSX-FW-000124
Vuln IDs
  • V-69153
Rule IDs
  • SV-83757r1_rule
Without generating audit records that log usage of objects by subjects and other objects, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Security objects are data objects which are controlled by security policy and bound to security attributes. This requirement applies to the ALG traffic management functions. This does not apply to audit logs generated on behalf of the device (device management).
Checks: C-69591r1_chk

Verify each rule in the NSX Firewall has been configured to "Log". Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. The "Log" option must be selected for each rule. If the "Log" option has not been enabled for all rules, this is a finding.

Fix: F-75339r1_fix

Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. Select the radio button next to the "Log" option to turn on logging for each rule.

b
The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to modify security objects occur.
AU-12 - Medium - CCI-000172 - V-69155 - SV-83759r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VNSX-FW-000128
Vuln IDs
  • V-69155
Rule IDs
  • SV-83759r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Security objects are data objects which are controlled by security policy and bound to security attributes. This requirement applies to the ALG traffic management functions such as content filtering or intermediary services. This does not apply to audit logs generated on behalf of the device (device management).
Checks: C-69593r1_chk

Verify each rule in the NSX Firewall has been configured to "Log". Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. The "Log" option must be selected for each rule. If the "Log" option has not been enabled for all rules, this is a finding.

Fix: F-75341r1_fix

Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. Select the radio button next to the "Log" option to turn on logging for each rule.

b
The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to delete security objects occur.
AU-12 - Medium - CCI-000172 - V-69157 - SV-83761r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VNSX-FW-000133
Vuln IDs
  • V-69157
Rule IDs
  • SV-83761r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Security objects are data objects which are controlled by security policy and bound to security attributes. This requirement applies to the ALG traffic management functions such as content filtering or intermediary services. This does not apply to audit logs generated on behalf of the device (device management).
Checks: C-69595r1_chk

Verify each rule in the NSX Firewall has been configured to "Log". Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. The "Log" option must be selected for each rule. If the "Log" option has not been enabled for all rules, this is a finding.

Fix: F-75343r1_fix

Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. Select the radio button next to the "Log" option to turn on logging for each rule.

b
The NSX Distributed Firewall must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.
CM-6 - Medium - CCI-000366 - V-69159 - SV-83763r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VNSX-FW-000151
Vuln IDs
  • V-69159
Rule IDs
  • SV-83763r1_rule
A compromised host in an enclave can be used by a malicious actor as a platform to launch cyber attacks on third parties. This is a common practice in "botnets", which are a collection of compromised computers using malware to attack (usually DDoS) other computers or networks. DDoS attacks frequently leverage IP source address spoofing, in which packets with false source IP addresses send traffic to multiple hosts, which then send return traffic to the hosts with the IP addresses that were forged. This can generate significant, even massive, amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken. The router must not accept any outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF) strict mode or by implementing an egress ACL. Unicast Reverse Path Forwarding (uRPF) provides an IP address spoof protection capability. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet.
Checks: C-69597r1_chk

Verify "SpoofGuard" Default Policy is "Enabled" and "firewall" service is "Enabled" on all hosts. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> select the "SpoofGuard" tab on the left side menu. Verify Default Policy for "All Networks Operation Mode" is set to "Enabled". Next, select the "Installation" tab on the left side menu and verify "firewall" is "Enabled". If "SpoofGuard" Default Policy is not "Enabled" or "firewall" service is not "Enabled" on all hosts, this is a finding.

Fix: F-75345r1_fix

Set "SpoofGuard" Default Policy to "Enabled" and "firewall" service to "Enabled" on all hosts. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> select the "SpoofGuard" tab on the left side menu. Set the Default Policy for All Networks Operation Mode to "Enabled". Next, select the "Installation" tab on the left side menu. Select Firewall and set to "Enabled".