{"stig":{"title":"VMware NSX 4.x Tier-0 Gateway Firewall Security Technical Implementation Guide","version":"1","release":"2"},"checks":[{"vulnId":"V-265362","ruleId":"SV-265362r994329_rule","severity":"medium","ruleTitle":"The NSX Tier-0 Gateway Firewall must generate traffic log entries.","description":"Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit event content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the network element logs provides a means of investigating an attack, recognizing resource usage or capacity thresholds, or identifying an improperly configured network element.\n\nSatisfies: SRG-NET-000074-FW-000009, SRG-NET-000061-FW-000001, SRG-NET-000075-FW-000010, SRG-NET-000076-FW-000011, SRG-NET-000077-FW-000012, SRG-NET-000078-FW-000013, SRG-NET-000492-FW-000006, SRG-NET-000493-FW-000007","checkContent":"If the Tier-0 Gateway is deployed in an Active/Active HA mode and no stateless rules exist, this is Not Applicable.\n\nFrom the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules.\n\nFor each Tier-0 Gateway and for each rule, click the gear icon and verify the logging setting.\n\nIf logging is not enabled, this is a finding.","fixText":"From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules.\n\nFor each Tier-0 Gateway and for each rule with logging disabled, click the gear icon, enable logging, and then click \"Apply\".\n\nAfter all changes are made, click \"Publish\".","ccis":["CCI-000130","CCI-000067","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000172"]},{"vulnId":"V-265367","ruleId":"SV-265367r994344_rule","severity":"high","ruleTitle":"The NSX Tier-0 Gateway Firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.","description":"A firewall experiencing a DoS attack will not be able to handle production traffic load. The high usage and CPU caused by a DoS attack will impact control of keep-alives and timers used for neighbor peering. This will result in route flapping and will eventually black hole production traffic.\n\nThe device must be configured to contain and limit a DoS attack's effect on the device's resource usage. The use of redundant components and load balancing are examples of mitigating \"flood-type\" DoS attacks through increased capacity.\n\nSatisfies: SRG-NET-000193-FW-000030, SRG-NET-000192-FW-000029, SRG-NET-000362-FW-000028","checkContent":"If the Tier-0 Gateway is deployed in an Active/Active HA mode and no stateless rules exist, this is Not Applicable.\n\nFrom the NSX Manager web interface, go to Security >> Settings >> General Settings >> Firewall >> Flood Protection to view Flood Protection profiles.\n\nIf there are no Flood Protection profiles of type \"Gateway\", this is a finding.\n\nFor each gateway flood protection profile, if TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit are set to \"None\", this is a finding.\n\nFor each gateway flood protection profile, examine the \"Applied To\" field to view the Tier-0 Gateways to which it is applied.\n\nIf a gateway flood protection profile is not applied to all applicable Tier-0 Gateways through one or more policies, this is a finding.","fixText":"To create a new Flood Protection profile, do the following:\n\nFrom the NSX Manager web interface, go to Security >> Settings >> General Settings >> Firewall >> Flood Protection >> Add Profile >> Add Edge Gateway Profile.\n\nEnter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit.\n\nConfigure the \"Applied To\" field to contain Tier-0 Gateways, and then click \"Save\".","ccis":["CCI-001095","CCI-001094","CCI-002385"]},{"vulnId":"V-265368","ruleId":"SV-265368r994347_rule","severity":"medium","ruleTitle":"The NSX Tier-0 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception.","description":"To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary.\n\nAs a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The allow filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA).\n\nSatisfies: SRG-NET-000202-FW-000039, SRG-NET-000205-FW-000040, SRG-NET-000235-FW-000133, SRG-NET-000364-FW-000031","checkContent":"From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules.\n\nChoose each Tier-0 Gateway in drop-down, then select Policy_Default_Infra Section >> Action.\n\nIf the default_rule is set to \"Allow\", this is a finding.","fixText":"From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules.\n\nChoose each Tier-0 Gateway in drop-down, then select Policy_Default_Infra Section >> Action.\n\nChange the Action to \"Drop\" or \"Reject\", and then click \"Publish\".","ccis":["CCI-001109","CCI-001097","CCI-001190","CCI-002403"]},{"vulnId":"V-265370","ruleId":"SV-265370r994353_rule","severity":"medium","ruleTitle":"The NSX Tier-0 Gateway Firewall must be configured to send traffic log entries to a central log server.","description":"Without the ability to centrally manage the content captured in the traffic log entries, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.\n\nThe DOD requires centralized management of all network component audit record content. Network components requiring centralized traffic log management must have the ability to support centralized management. The content captured in traffic log entries must be managed from a central location (necessitating automation). Centralized management of traffic log records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. \n\nEnsure at least one syslog server is configured on the firewall.\n\nIf the product inherently has the ability to store log records locally, the local log must also be secured. However, this requirement is not met since it calls for a use of a central audit server.\n\nSatisfies: SRG-NET-000333-FW-000014, SRG-NET-000098-FW-000021","checkContent":"From an NSX Edge Node shell hosting the Tier-0 Gateway, run the following command:\n\n> get logging-servers\n\nNote: This check must be run from each NSX Edge Node hosting a Tier-0 Gateway, as they are configured individually.\n\nor\n\nIf Node Profiles are used, from the NSX Manager web interface, go to System >> Configuration >> Fabric >> Profiles >> Node Profiles.\n\nClick \"All NSX Nodes\" and verify the syslog servers listed.\n\nIf any configured logging servers are configured with a protocol of \"udp\", this is a finding.\n\nIf any logging servers are not configured with a level of \"info\", this is a finding.\n\nIf no logging servers are configured, this is a finding.","fixText":"To configure a profile to apply syslog servers to all NSX Edge Nodes, do the following:\n\nFrom the NSX Manager web interface, go to System >> Configuration >> Fabric >> Profiles >> Node Profiles.\n\nClick \"All NSX Nodes\" and then under \"Syslog Servers\", click \"Add\".\n\nEnter the syslog server details, choose \"Information\" for the log level, and click \"Add\".\n\nor\n\n(Optional) From an NSX Edge Node shell, run the following command to clear any existing incorrect logging servers:\n\n> clear logging-servers\n\nFrom an NSX Edge Node shell, run the following command to configure a TCP syslog server:\n\n> set logging-server <server-ip or server-name> proto tcp level info\n\nFrom an NSX Edge Node shell, run the following command to configure a primary and backup TLS syslog server:\n\n> set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem\n\nFrom an NSX Edge Node shell, run the following command to configure an LI-TLS syslog server:\n\n> set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt\n\nNote: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /var/vmware/nsx/file-store/ on each NSX Edge Node appliance.\n\nNote: Configure the syslog to send an alert if the events server is unable to receive events from the NSX-T and also if denial-of-service (DoS) incidents are detected. This is true if the events server is STIG compliant.","ccis":["CCI-001851","CCI-000366"]}]}