STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

VMware NSX 4.x Tier-0 Gateway Router Security Technical Implementation Guide

Version

V1R2

Benchmark ID

VMW_NSX_4-x_Tier0_GW_RTR_STIG

Total Checks

16

Tags

networkvmware
CAT I: 6CAT II: 5CAT III: 5

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (16)

V-265390HIGHThe NSX Tier-0 Gateway router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.V-265393HIGHThe NSX Tier-0 Gateway router must be configured to have all inactive interfaces removed.V-265404LOWThe NSX Tier-0 Gateway router must be configured to have the Dynamic Host Configuration Protocol (DHCP) service disabled if not in use.V-265406HIGHThe NSX Tier-0 Gateway router must be configured to use encryption for Open Shortest Path First (OSPF) routing protocol authentication.V-265428HIGHThe NSX Tier-0 Gateway router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF).V-265431HIGHThe NSX Tier-0 Gateway router must be configured to implement message authentication for all control plane protocols.V-265432MEDIUMThe NSX Tier-0 Gateway must be configured to use a unique password for each autonomous system (AS) with which it peers.V-265441MEDIUMThe NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.V-265442MEDIUMThe NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.V-265443MEDIUMThe NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.V-265444MEDIUMThe NSX Tier-0 Gateway router must be configured to use the Border Gateway Protocol (BGP) maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.V-265468LOWThe NSX Tier-0 Gateway router must be configured to use its loopback address as the source address for Internal Border Gateway Protocol (IBGP) peering sessions.V-265479LOWThe NSX Tier-0 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.V-265483LOWThe NSX Tier-0 Gateway router must be configured to have routing protocols disabled if not in use.V-265484LOWThe NSX Tier-0 Gateway router must be configured to have multicast disabled if not in use.V-265485HIGHThe NSX Tier-0 Gateway router must be configured to use encryption for border gateway protocol (BGP) routing protocol authentication.