The NSX Distributed Firewall must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-69141	VNSX-FW-000003	SV-83745r1_rule		Medium

Description
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic. This requirement applies to the flow of information between the ALG when used as a gateway or boundary device which allows traffic flow between interconnected networks of differing security policies. The ALG is installed and configured such that it restricts or blocks information flows based on guidance in the PPSM regarding restrictions for boundary crossing for ports, protocols and services. Information flow restrictions may be implemented based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. The ALG must be configured with policy filters (e.g., security policy, rules, and/or signatures) that restrict or block information system services; provide a packet-filtering capability based on header information; and/or perform message-filtering based on message content. The policy filters used depends upon the type of application gateway (e.g., web, email, or TLS).

Description

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic. This requirement applies to the flow of information between the ALG when used as a gateway or boundary device which allows traffic flow between interconnected networks of differing security policies. The ALG is installed and configured such that it restricts or blocks information flows based on guidance in the PPSM regarding restrictions for boundary crossing for ports, protocols and services. Information flow restrictions may be implemented based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. The ALG must be configured with policy filters (e.g., security policy, rules, and/or signatures) that restrict or block information system services; provide a packet-filtering capability based on header information; and/or perform message-filtering based on message content. The policy filters used depends upon the type of application gateway (e.g., web, email, or TLS).

STIG	Date
VMware NSX Distributed Firewall Security Technical Implementation Guide	2016-06-27

Details

Check Text ( C-69579r1_chk )
Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective "Applied to" category is configured if appropriate. Log into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General. Expand rule sections as necessary to view rules. If there are no rules configured to enforce authorizations, this is a finding.

Check Text ( C-69579r1_chk )

Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective "Applied to" category is configured if appropriate.

Log into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General.

Expand rule sections as necessary to view rules.

If there are no rules configured to enforce authorizations, this is a finding.

Fix Text (F-75327r1_fix)
Log into vSphere Web Client with credentials authorized for administration. Remediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General Configure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies Ensure the rules have been enabled, and configure the respective "Applied to" category if appropriate.

Fix Text (F-75327r1_fix)

Log into vSphere Web Client with credentials authorized for administration.

Remediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General

Configure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies

Ensure the rules have been enabled, and configure the respective "Applied to" category if appropriate.