UCF STIG Viewer Logo

VMware NSX-T Tier-0 Gateway RTR Security Technical Implementation Guide


Overview

Date Finding Count (16)
2022-09-01 CAT I (High): 2 CAT II (Med): 9 CAT III (Low): 5
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-251749 High The NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself.
V-251750 High Unicast Reverse Path Forwarding (uRPF) must be enabled on the NSX-T Tier-0 Gateway.
V-251748 Medium The NSX-T Tier-0 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
V-251753 Medium The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
V-251752 Medium The NSX-T Tier-0 Gateway must be configured to use a unique key for each autonomous system (AS) with which it peers.
V-251751 Medium The NSX-T Tier-0 Gateway must be configured to implement message authentication for all control plane protocols.
V-251744 Medium The NSX-T Tier-0 Gateway must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
V-251745 Medium The NSX-T Tier-0 Gateway must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
V-251756 Medium The NSX-T Tier-0 Gateway must be configured to use the BGP maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
V-251755 Medium The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
V-251754 Medium The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
V-251759 Low The NSX-T Tier-0 Gateway must be configured to have multicast disabled if not in use.
V-251758 Low The NSX-T Tier-0 Gateway must be configured to have routing protocols disabled if not in use.
V-251746 Low The NSX-T Tier-0 Gateway must be configured to have all inactive interfaces removed.
V-251747 Low The NSX-T Tier-0 Gateway must be configured to have the DHCP service disabled if not in use.
V-251757 Low The NSX-T Tier-0 Gateway must be configured to use its loopback address as the source address for iBGP peering sessions.