UCF STIG Viewer Logo

The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251754 T0RT-3X-000065 SV-251754r856695_rule Medium
Description
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.
STIG Date
VMware NSX-T Tier-0 Gateway RTR Security Technical Implementation Guide 2022-09-01

Details

Check Text ( C-55191r810144_chk )
If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable.

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down.

Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP mask replies.

If a rule does not exist to drop ICMP mask replies, this is a finding.
Fix Text (F-55145r810145_fix)
To configure a shared rule to drop ICMP unreachable messages do the following:

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> All Shared Rules.

Click "Add Rule" (Add a policy first if needed), under "Services" select the custom service that identifies ICMP mask replies, and then click "Apply".

Enable logging, under the "Applied To" field select the target Tier-0 Gateways, and then click "Publish" to enforce the new rule.

Note: A rule can also be created under Gateway Specific Rules to meet this requirement.

Note: A pre-created service for ICMP mask replies does not exist by default and may need to be created.