| V-69139 | Medium | The NSX Distributed Firewall must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. | Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and controlled so it does not introduce any... |
| V-69137 | Medium | The NSX Distributed Firewall must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies. | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and... |
| V-69149 | Medium | The NSX Distributed Firewall must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-69159 | Medium | The NSX Distributed Firewall must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding. | A compromised host in an enclave can be used by a malicious actor as a platform to launch cyber attacks on third parties. This is a common practice in "botnets", which are a collection of... |
| V-69155 | Medium | The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to modify security objects occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-69143 | Medium | The NSX Distributed Firewall must not have unnecessary services and functions enabled. | Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The... |
| V-69157 | Medium | The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to delete security objects occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-69141 | Medium | The NSX Distributed Firewall must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious... |
| V-69151 | Medium | The NSX Distributed Firewall must off-load audit records onto a centralized log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
... |
| V-69147 | Medium | The NSX Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
As a managed interface, the ALG must block... |
| V-69153 | Medium | The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to access security objects occur. | Without generating audit records that log usage of objects by subjects and other objects, it would be difficult to establish, correlate, and investigate the events relating to an incident, or... |
| V-69145 | Medium | The NSX Distributed Firewall must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must... |
