The NSX-T Tier-1 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251764	T1FW-3X-000019	SV-251764r810187_rule		Medium

Description
DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of a firewall at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. The firewall must include protection against DoS attacks that originate from inside the enclave that can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave. These attacks can be simple "floods" of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or a configuration issue that disables or impairs the proper function of a device. For example, an accidental or deliberate misconfiguration of a routing table can misdirect traffic for multiple networks. Satisfies: SRG-NET-000192-FW-000029, SRG-NET-000193-FW-000030

Description

DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of a firewall at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. The firewall must include protection against DoS attacks that originate from inside the enclave that can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave. These attacks can be simple "floods" of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or a configuration issue that disables or impairs the proper function of a device. For example, an accidental or deliberate misconfiguration of a routing table can misdirect traffic for multiple networks. Satisfies: SRG-NET-000192-FW-000029, SRG-NET-000193-FW-000030

STIG	Date
VMware NSX-T Tier 1 Gateway Firewall Security Technical Implementation Guide	2022-09-01

Details

Check Text ( C-55201r810185_chk )
From the NSX-T Manager web interface, go to Security >> Security Profiles >> Flood Protection to view Flood Protection profiles. If there are no Flood Protection profiles of type "Gateway", this is a finding. For each gateway flood protection profile, verify the TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit are set to "not set" or SYN Cache and RST Spoofing is not Enabled on a profile. If not, this is a finding. For each gateway flood protection profile, examine the Applied To field to view the Tier-1 Gateways it is applied to. If a gateway flood protection profile is not applied to all Tier-1 Gateways through one or more policies, this is a finding.

Check Text ( C-55201r810185_chk )

From the NSX-T Manager web interface, go to Security >> Security Profiles >> Flood Protection to view Flood Protection profiles.

If there are no Flood Protection profiles of type "Gateway", this is a finding.

For each gateway flood protection profile, verify the TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit are set to "not set" or SYN Cache and RST Spoofing is not Enabled on a profile. If not, this is a finding.

For each gateway flood protection profile, examine the Applied To field to view the Tier-1 Gateways it is applied to.

If a gateway flood protection profile is not applied to all Tier-1 Gateways through one or more policies, this is a finding.

Fix Text (F-55155r810186_fix)
To create a new Flood Protection profile do the following: From the NSX-T Manager web interface, go to Security >> Security Profiles >> Flood Protection >> Add Profile >> Add Firewall Profile. Enter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit. Enable SYN Cache and RST Spoofing, then configure the "Applied To" field to contain Tier-1 Gateways and then click "Save".

Fix Text (F-55155r810186_fix)

To create a new Flood Protection profile do the following:

From the NSX-T Manager web interface, go to Security >> Security Profiles >> Flood Protection >> Add Profile >> Add Firewall Profile.

Enter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit.

Enable SYN Cache and RST Spoofing, then configure the "Applied To" field to contain Tier-1 Gateways and then click "Save".