UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The NSX Distributed Firewall must not have unnecessary services and functions enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-69143 VNSX-FW-000034 SV-83747r1_rule Medium
Description
Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the ALG. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The primary function of an ALG is to provide application specific content filtering and/or proxy services. The ALG application suite may integrate related content filtering and analysis services and tools (e.g., IPS, proxy, malware inspection, black/white lists). Some gateways may also include email scanning, decryption, caching, and DLP services. However, services and capabilities which are unrelated to this primary functionality must not be installed (e.g., DNS, email client or server, FTP server, or web server). Next Generation ALGs (NGFW) and Unified Threat Management (UTM) ALGs integrate functions which have been traditionally separated. These products integrate content filtering features to provide more granular policy filtering. There may be operational drawbacks to combining these services into one device. Another issue is that NGFW and UTM products vary greatly with no current definitive industry standard.
STIG Date
VMware NSX Distributed Firewall Security Technical Implementation Guide 2016-06-27

Details

Check Text ( C-69581r1_chk )
Verify no unwanted services are enabled.

Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> Partner Security Services.

Verify that any unwanted services are disabled.

If there are services that should not be enabled, this is a finding.
Fix Text (F-75329r1_fix)
Configure Partner Security Services to the disabled state.

Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side
menu >> Configuration >> Partner Security Services >> Select the partner security service.

Hover over the "No." column
Click the pencil icon
Disable it