| V-251749 | High | The NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself. | The route processor handles traffic destined to the router, the key component used to build forwarding paths, and is also instrumental with all network management functions. Hence, any disruption... |
| V-251750 | High | Unicast Reverse Path Forwarding (uRPF) must be enabled on the NSX-T Tier-0 Gateway. | A compromised host in an enclave can be used by a malicious platform to launch cyber attacks on third parties. This is a common practice in "botnets", which are a collection of compromised... |
| V-251748 | Medium | The NSX-T Tier-0 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective... |
| V-251753 | Medium | The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP... |
| V-251752 | Medium | The NSX-T Tier-0 Gateway must be configured to use a unique key for each autonomous system (AS) with which it peers. | If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who... |
| V-251751 | Medium | The NSX-T Tier-0 Gateway must be configured to implement message authentication for all control plane protocols. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to... |
| V-251744 | Medium | The NSX-T Tier-0 Gateway must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). | Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path. |
| V-251745 | Medium | The NSX-T Tier-0 Gateway must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing. | If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given... |
| V-251756 | Medium | The NSX-T Tier-0 Gateway must be configured to use the BGP maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks. | The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a... |
| V-251755 | Medium | The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Redirect ICMP... |
| V-251754 | Medium | The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP... |
| V-251759 | Low | The NSX-T Tier-0 Gateway must be configured to have multicast disabled if not in use. | A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of... |
| V-251758 | Low | The NSX-T Tier-0 Gateway must be configured to have routing protocols disabled if not in use. | A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of... |
| V-251746 | Low | The NSX-T Tier-0 Gateway must be configured to have all inactive interfaces removed. | An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface.
If an interface is no longer used, the configuration must be deleted. |
| V-251747 | Low | The NSX-T Tier-0 Gateway must be configured to have the DHCP service disabled if not in use. | A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of... |
| V-251757 | Low | The NSX-T Tier-0 Gateway must be configured to use its loopback address as the source address for iBGP peering sessions. | Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of the BGP routers. It is easier to construct appropriate ingress... |
