{"stig":{"title":"VMware NSX 4.x Tier-1 Gateway Router Security Technical Implementation Guide","version":"1","release":"2"},"checks":[{"vulnId":"V-265518","ruleId":"SV-265518r999924_rule","severity":"high","ruleTitle":"The NSX Tier-1 Gateway router must be configured to have all inactive interfaces removed.","description":"An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. Unauthorized personnel with access to the communication facility could gain access to a router by connecting to a configured interface that is not in use.\n\nIf an interface is no longer used, the configuration must be deleted and the interface disabled. For sub-interfaces, delete sub-interfaces that are on inactive interfaces and delete sub-interfaces that are themselves inactive. If the sub-interface is no longer necessary for authorized communications, it must be deleted.","checkContent":"From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways.\n\nFor every Tier-1 Gateway, expand the Tier-1 Gateway. Click on the number in the Linked Segments to review the currently linked segments.\n\nFor every Tier-1 Gateway, expand the Tier-1 Gateway. Expand Interfaces and GRE Tunnels, and click on the number of interfaces present to open the interfaces dialog.\n\nReview each interface or linked segment present to determine if they are not in use or inactive.\n\nIf there are any linked segments or service interfaces present on a Tier-1 Gateway that are not in use or inactive, this is a finding.","fixText":"To remove a stale linked segment from a Tier-1 Gateway, do the following:\n\nFrom the NSX Manager web interface, go to Networking >> Connectivity >> Segments and edit the target segment.\n\nUnder Connected Gateway, change to \"None\" and click \"Save\".\n\nNote: The stale linked segment can also be deleted if there are no active workloads attached to it.\n\nTo remove a stale service interface from a Tier-1 Gateway, do the following:\n\nFrom the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways >> Edit the target Tier-1 gateway.\n\nExpand \"Interfaces and GRE Tunnels\", then click on the number of interfaces present to open the interfaces dialog.\n\nOn the stale service interface, select \"Delete\" and click \"Delete\" again to confirm.","ccis":["CCI-001414"]},{"vulnId":"V-265529","ruleId":"SV-265529r999926_rule","severity":"low","ruleTitle":"The NSX Tier-1 Gateway router must be configured to have the DHCP service disabled if not in use.","description":"A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.","checkContent":"From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways.\n\nFor every Tier-1 Gateway expand the Tier-1 Gateway to view the DHCP configuration.\n\nIf a DHCP profile is configured and not in use, this is a finding.","fixText":"From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways and edit the target Tier-1 gateway.\n\nClick \"Set DHCP Configuration\", select \"No Dynamic IP Address Allocation\", click \"Save\", and then close \"Editing\".","ccis":["CCI-000381"]},{"vulnId":"V-265604","ruleId":"SV-265604r995285_rule","severity":"low","ruleTitle":"The NSX Tier-1 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.","description":"The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.","checkContent":"If IPv6 forwarding is not enabled, this is Not Applicable.\n\nFrom the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways.\n\nFor every Tier-1 Gateway, expand Tier-1 Gateway >>Additional Settings.\n\nClick on the ND profile name to view the hop limit.\n\nIf the hop limit is not configured to at least 32, this is a finding.","fixText":"To configure the Neighbor Discovery hop limit, do the following:\n\nFrom the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways >> edit the target Tier-1 gateway.\n\nExpand Additional Settings and select an \"ND Profile\" from the drop down with a hop limit of 32 or more, then click \"Close Editing\".\n\nNote: The default ND profile has a hop limit of 64 and cannot be edited. If required, create a new or edit another existing ND profile to use.","ccis":["CCI-000366"]},{"vulnId":"V-265608","ruleId":"SV-265608r999927_rule","severity":"low","ruleTitle":"The NSX Tier-1 Gateway router must be configured to have multicast disabled if not in use.","description":"A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.","checkContent":"From the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways.\n\nFor every Tier-1 Gateway, expand the Tier-1 Gateway then expand Multicast to view the Multicast configuration.\n\nIf Multicast is enabled and not in use, this is a finding.\n\nIf a Tier-1 Gateway is not linked to a Tier-0 Gateway, this is Not Applicable.","fixText":"If not used, disable Multicast by doing the following:\n\nFrom the NSX Manager web interface, go to Networking >> Connectivity >> Tier-1 Gateways and edit the target Tier-1 gateway.\n\nExpand Multicast and change from \"Enabled\" to \"Disabled\" and then click \"Save\".","ccis":["CCI-000381"]}]}