The NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-251749 | T0RT-3X-000038 | SV-251749r810131_rule | High |
| Description |
|---|
| The route processor handles traffic destined to the router, the key component used to build forwarding paths, and is also instrumental with all network management functions. Hence, any disruption or DoS attack to the route processor can result in mission critical network outages. |
| STIG | Date |
|---|---|
| VMware NSX-T Tier-0 Gateway RTR Security Technical Implementation Guide | 2022-09-01 |
Details
| Check Text ( C-55186r810129_chk ) |
|---|
| If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewalls rules to verify rules exist to restrict traffic to itself. If a rule or rules do not exist to restrict traffic to external interface IPs, this is a finding. |
| Fix Text (F-55140r810130_fix) |
|---|
| To configure firewall rule(s) to restrict traffic destined to interfaces on a Tier-0 Gateway do the following: From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and select the target Tier-0 Gateway from the drop-down. Click "Add Rule" (Add a policy first if needed) and configure the destinations to include all IPs for external interfaces. Update the action to "Drop" or "Reject". Enable logging, then under the "Applied To" field, select the target Tier-0 Gateways and click "Publish" to enforce the new rule. Other rules may be constructed to allow traffic to external interface IPs if required above this default deny rule. |