VMware NSX Distributed Firewall Security Technical Implementation Guide

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware NSX Distributed Firewall Security Technical Implementation Guide

Overview

Version	Date	Finding Count (12)			Downloads
1	2016-06-27	CAT I (High): 0	CAT II (Med): 12	CAT III (Low): 0	Excel	JSON	XML

STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC III - Administrative Sensitive)

Finding ID	Severity	Title	Description
V-69139	Medium	The NSX Distributed Firewall must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.	Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and controlled so it does not introduce any...
V-69137	Medium	The NSX Distributed Firewall must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.	Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and...
V-69149	Medium	The NSX Distributed Firewall must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity.	Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port...
V-69159	Medium	The NSX Distributed Firewall must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.	A compromised host in an enclave can be used by a malicious actor as a platform to launch cyber attacks on third parties. This is a common practice in "botnets", which are a collection of...
V-69155	Medium	The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to modify security objects occur.	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an...
V-69143	Medium	The NSX Distributed Firewall must not have unnecessary services and functions enabled.	Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The...
V-69157	Medium	The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to delete security objects occur.	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an...
V-69141	Medium	The NSX Distributed Firewall must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.	Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious...
V-69151	Medium	The NSX Distributed Firewall must off-load audit records onto a centralized log server.	Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. ...
V-69147	Medium	The NSX Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).	A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. As a managed interface, the ALG must block...
V-69153	Medium	The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to access security objects occur.	Without generating audit records that log usage of objects by subjects and other objects, it would be difficult to establish, correlate, and investigate the events relating to an incident, or...
V-69145	Medium	The NSX Distributed Firewall must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.	In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must...