{"stig":{"title":"VMware NSX-T Tier 1 Gateway Firewall Security Technical Implementation Guide","version":"1","release":"3"},"checks":[{"vulnId":"V-251761","ruleId":"SV-251761r810178_rule","severity":"medium","ruleTitle":"The NSX-T Tier-1 Gateway Firewall must generate traffic log entries containing information to establish what type of events occurred.","description":"Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit event content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the network element logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element.","checkContent":"From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. \n\nFor each Tier-1 Gateway and for each rule, click the gear icon and verify the Logging setting.\n\nIf Logging is not \"Enabled\", this is a finding.","fixText":"From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. \n\nFor each Tier-1 Gateway and for each rule with logging disabled, click the gear icon and enable Logging, then click \"Apply\".\n\nAfter all changes are made, click \"Publish\".","ccis":["CCI-000130"]},{"vulnId":"V-251762","ruleId":"SV-251762r919235_rule","severity":"low","ruleTitle":"The NSX-T Tier-1 Gateway Firewall must generate traffic log entries containing information to establish the details of the event.","description":"Without sufficient information to analyze the event, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit event content that must be included to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nThe firewall must also generate traffic log records when traffic is denied, restricted, or discarded as well as when attempts are made to send packets between security zones that are not authorized to communicate.\n\nSatisfies: SRG-NET-000075-FW-000010, SRG-NET-000076-FW-000011, SRG-NET-000077-FW-000012, SRG-NET-000078-FW-000013, SRG-NET-000399-FW-000008, SRG-NET-000492-FW-000006, SRG-NET-000493-FW-000007","checkContent":"From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. \n\nFor each Tier-1 Gateway and for each rule, click the gear icon and verify the Logging setting.\n\nIf Logging is not \"Enabled\", this is a finding.","fixText":"From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. \n\nFor each Tier-1 Gateway and for each rule with logging disabled, click the gear icon and enable Logging and then click \"Apply\".\n\nAfter all changes are made, click \"Publish\".","ccis":["CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000172","CCI-001462"]},{"vulnId":"V-251763","ruleId":"SV-251763r919237_rule","severity":"medium","ruleTitle":"Each NSX-T Edge Node configured to host a Tier-1 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure traffic log records.","description":"It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure, secure collected log data, and  restrict access to authorized personnel. Methods of protection may include encryption or logical separation.\n\nIn accordance with DOD policy, the traffic log must be sent to a central audit server. \n\nThis does not apply to traffic logs generated on behalf of the device itself (management). Some devices store traffic logs separately from the system logs.\n\nSatisfies: SRG-NET-000089-FW-000019, SRG-NET-000098-FW-000021","checkContent":"From an NSX-T Edge Node shell hosting the Tier-1 Gateway, run the following command(s):\n\n> get logging-servers\n\nIf any configured logging-servers are not configured with protocol of \"li-tls\" or \"tls\" and level of \"info\", this is a finding.\n\nIf no logging-servers are configured, this is a finding.\n\nNote: This check must be run from each NSX-T Edge Node hosting the Tier-1 Gateway, as they are configured individually.","fixText":"(Optional) From an NSX-T Edge Gateway shell, run the following command(s) to clear any existing incorrect logging-servers:\n\n> clear logging-servers\n\nFrom an NSX-T Edge Node shell, run the following command(s) to configure a tls syslog server:\n\n> set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem\n\nFrom an NSX-T Edge Node shell, run the following command(s) to configure a li-tls syslog server:\n\n> set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt\n\nNote: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /var/vmware/nsx/file-store/ on each NSX-T Edge Gateway appliance.","ccis":["CCI-000140","CCI-000162"]},{"vulnId":"V-251764","ruleId":"SV-251764r919240_rule","severity":"medium","ruleTitle":"The NSX-T Tier-1 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.","description":"DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.\n\nInstallation of a firewall at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.\n\nThe firewall must include protection against DoS attacks that originate from inside the enclave that can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave. These attacks can be simple \"floods\" of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or a configuration issue that disables or impairs the proper function of a device. For example, an accidental or deliberate misconfiguration of a routing table can misdirect traffic for multiple networks.\n\nSatisfies: SRG-NET-000192-FW-000029, SRG-NET-000193-FW-000030","checkContent":"From the NSX-T Manager web interface, go to Security >> General Settings >> Firewall >> Flood Protection to view Flood Protection profiles.\n\nIf there are no Flood Protection profiles of type \"Gateway\", this is a finding.\n\nFor each gateway flood protection profile, verify the TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit are set to \"None\".\n\nIf they are not, this is a finding.\n\nFor each gateway flood protection profile, examine the \"Applied To\" field to view the Tier-1 Gateways to which it is applied.\n\nIf a gateway flood protection profile is not applied to all Tier-1 Gateways through one or more policies, this is a finding.","fixText":"To create a new Flood Protection profile, do the following:\n\nFrom the NSX-T Manager web interface, go to Security >> General Settings >> Firewall >> Flood Protection >> Add Profile >> Add Firewall Profile.\n\nEnter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit.\n\nConfigure the \"Applied To\" field to contain Tier-1 Gateways and then click \"Save\".","ccis":["CCI-001094","CCI-001095"]},{"vulnId":"V-251765","ruleId":"SV-251765r810190_rule","severity":"medium","ruleTitle":"The NSX-T Tier-1 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).","description":"To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. This configuration which is in the Manager function of the NSX-T implementation also helps prevent the firewall instance from failing to a state that may cause unauthorized access to make changes to the firewall filtering functions. \n\nAs a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The allow filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA).\n\nSatisfies: SRG-NET-000235-FW-000133, SRG-NET-000236-FW-000027","checkContent":"From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules >> Choose each Tier-1 Gateway in drop-down >> Policy_Default_Infra Section >> Action.\n\nIf the default_rule is set to Allow, this is a finding.","fixText":"From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules >> Choose each Tier-1 Gateway in drop-down >> Policy_Default_Infra Section >> Action >> change the Action to Drop or Reject and click Publish.","ccis":["CCI-001109","CCI-001190","CCI-001665"]},{"vulnId":"V-251766","ruleId":"SV-251766r863248_rule","severity":"medium","ruleTitle":"The NSX-T Tier-1 Gateway Firewall must be configured to send traffic log entries to a central audit server for management and configuration of the traffic log entries.","description":"Without the ability to centrally manage the content captured in the traffic log entries, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.\n\nThe DoD requires centralized management of all network component audit record content. Network components requiring centralized traffic log management must have the ability to support centralized management. The content captured in traffic log entries must be managed from a central location (necessitating automation). Centralized management of traffic log records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. \n\nEnsure at least one syslog server is configured on the firewall.\n\nIf the product inherently has the ability to store log records locally, the local log must also be secured. However, this requirement is not met since it calls for a use of a central audit server.","checkContent":"Note: This check must be run from each NSX-T Edge Node hosting the Tier-1 Gateway, as they are configured individually.\n\nFrom an NSX-T Edge Node shell hosting the Tier-1 Gateway, run the following command(s):\n\n> get logging-servers\n\nIf any configured logging-servers are not configured with protocol of \"li-tls\" or \"tls\" and level of \"info\", this is a finding.\n\nIf no logging-servers are configured, this is a finding.","fixText":"(Optional) From an NSX-T Edge Gateway shell, run the following command(s) to clear any existing incorrect logging-servers:\n\n> clear logging-servers\n\nFrom an NSX-T Edge Node shell, run the following command(s) to configure a tls syslog server:\n\n> set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem\n\nFrom an NSX-T Edge Node shell, run the following command(s) to configure a li-tls syslog server:\n\n> set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt\n\nNote: Configure the syslog or SNMP server to send an alert if the events server is unable to receive events from the NSX-T and also if DoS incidents are detected. This is true if the events server is STIG compliant.\n\nNote: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /var/vmware/nsx/file-store/ on each NSX-T Edge Gateway appliance.","ccis":["CCI-001844"]},{"vulnId":"V-251767","ruleId":"SV-251767r856686_rule","severity":"medium","ruleTitle":"The NSX-T Tier-1 Gateway Firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.","description":"Not configuring a key boundary security protection device such as the firewall, against commonly known attacks is an immediate threat to the protected enclave because they are easily implemented by those with little skill. Directions for the attack are obtainable on the internet and in hacker groups. Without filtering enabled for these attacks, the firewall will allow these attacks beyond the protected boundary.\n\nConfigure the perimeter and internal boundary firewall to guard against the three general methods of well-known DoS attacks: flooding attacks, protocol sweeping attacks, and unauthorized port scanning.\n\nFlood attacks occur when the host receives too much traffic to buffer and slows down or crashes. Popular flood attacks include ICMP flood and SYN flood. A TCP flood attack of SYN packets initiating connection requests can overwhelm the device until it can no longer process legitimate connection requests, resulting in denial of service. An ICMP flood can overload the device with so many echo requests (ping requests) that it expends all its resources responding and can no longer process valid network traffic, also resulting in denial of service. An attacker might use session table floods and SYN-ACK-ACK proxy floods to fill up the session table of a host.\n\nIn an IP address sweep attack, an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, the reply reveals the target’s IP address to the attacker. In a TCP sweep attack, an attacker sends TCP SYN packets to the target device as part of the TCP handshake. If the device responds to those packets, the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack. In a UDP sweep attack, an attacker sends UDP packets to the target device. If the device responds to those packets, the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack.\n\nIn a port scanning attack, an unauthorized application is used to scan the host devices for available services and open ports for subsequent use in an attack. This type of scanning can be used as a DoS attack when the probing packets are sent excessively.","checkContent":"From the NSX-T Manager web interface, go to Security >> Security Profiles >> Flood Protection to view Flood Protection profiles.\n\nIf there are no Flood Protection profiles of type \"Gateway\", this is a finding.\n\nFor each gateway flood protection profile, verify the TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit are set to \"not set\" or SYN Cache and RST Spoofing is not Enabled on a profile, this is a finding.\n\nFor each gateway flood protection profile, examine the Applied To field to view the Tier-1 Gateways to which it is applied.\n\nIf a gateway flood protection profile is not applied to all Tier-1 Gateways through one or more policies, this is a finding.","fixText":"To create a new Flood Protection profile do the following:\n\nFrom the NSX-T Manager web interface, go to Security >> Security Profiles >> Flood Protection >> Add Profile >> Add Firewall Profile.\n\nEnter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit.\n\nEnable SYN Cache and RST Spoofing, configure the Applied To field that contains Tier-1 Gateways, and then click \"Save\".","ccis":["CCI-002385"]},{"vulnId":"V-251768","ruleId":"SV-251768r856687_rule","severity":"medium","ruleTitle":"The NSX-T Tier-1 Gateway Firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.","description":"Unrestricted traffic to the trusted networks may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nFirewall filters control the flow of network traffic and ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated.","checkContent":"From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. Choose each Tier-1 Gateway in the drop-down and review the firewall rules \"Applied To\" field to verify no rules are selectively applied to interfaces instead of the Gateway Firewall entity.\n\nIf any Gateway Firewall rules are applied to individual interfaces, this is a finding.","fixText":"From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and choose the target Tier-1 Gateway from the drop-down.\n\nFor any rules that have individual interfaces specified in the \"Applied To\" field, click \"Edit\" on the \"Applied To\" column and remove the interfaces selected, leaving only the Tier-1 Gateway object type checked.\n\nClick \"Publish\" to save any rule changes.","ccis":["CCI-002403"]},{"vulnId":"V-251769","ruleId":"SV-251769r856688_rule","severity":"medium","ruleTitle":"The NSX-T Tier-1 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.","description":"If outbound communications traffic is not filtered, hostile activity intended to harm other networks may not be detected and prevented.","checkContent":"From the NSX-T Manager web interface, go to Networking >> Segments, and for each Segment, view Segment Profiles >> SpoofGuard.\n\nIf a Segment is not configured with a SpoofGuard profile that has Port Binding enabled, this is a finding.","fixText":"To create a segment profile with SpoofGuard enabled do the following:\n\nFrom the NSX-T Manager web interface, go to Networking >> Segments >> Segment Profiles >> Add Segment Profile >> SpoofGuard.\n\nEnter a profile name and enable port bindings, then click \"Save\".\n\nTo update a Segment's SpoofGuard profile, do the following:\n\nFrom the NSX-T Manager web interface, go to the Networking >> Segments, then click \"Edit\" from the drop-down menu next to the target Segment.\n\nExpand Segment Profiles, choose the new SpoofGuard profile from the drop-down list, and then click \"Save\".","ccis":["CCI-002664"]}]}