VMware NSX 4.x Distributed Firewall Security Technical Implementation Guide

Quick Actions

We are continuing to improve Stigviewer and we are planning on rolling out new services in the near future. Would you like to be part of the conversation on what those features should be? If so, click here.

Featured Partners

Web page built by Cyber Protection Services

Check out our new AI-powered GRC tool here .
Compliance Dictionary

Standardizes and unifies compliance terms.

Overview

Version	Date	Finding Count (6)			Downloads
1	2024-12-13	CAT I (High): 1	CAT II (Medium): 4	CAT III (Low): 1	Excel JSON XML

Stig Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Critical Classified	II - Mission Critical Public	II - Mission Critical Sensitive	III - Mission Critical Classified	III - Mission Critical Public	III - Mission Critical Sensitive

Findings - All

Finding ID	Severity	Title	Description
V-265633	High	The NSX Distributed Firewall must configure an IP Discovery profile to disable trust on every use method.
V-265630	Medium	The NSX Distributed Firewall must configure SpoofGuard to restrict it from accepting outbound packets that contain an illegitimate address in the source address.	A compromised host in an enclave can be used by a malicious platform to launch cyberattacks on third parties. This is a common practice in "botnets", which are a collection of compromised computers using malware to attack other computers or networks. Distributed denial-of-service (DDoS) attacks frequently leverage IP source address...
V-265628	Medium	The NSX Distributed Firewall must be configured to inspect traffic at the application layer.	Application inspection enables the firewall to control traffic based on different parameters that exist within the packets such as enforcing application-specific message and field length. Inspection provides improved protection against application-based attacks by restricting the types of commands allowed for the applications. Application inspection all enforces conformance against published RFCs....
V-265619	Medium	The NSX Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception.	To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. As...
V-265618	Medium	The NSX Distributed Firewall must limit the effects of packet flooding types of denial-of-service (DoS) attacks.	A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic....
V-265612	Low	The NSX Distributed Firewall must generate traffic log entries that can be sent by the ESXi hosts to the central syslog.	Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit event content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail...

STIG VIEWER