DISA STIGS Viewer

VMware NSX 4.x Tier-1 Gateway Firewall Security Technical Implementation Guide

Overview

Version Date Finding Count (5) Downloads
1 2024-12-20 CAT I (High): 1 CAT II (Medium): 4 CAT III (Low): 0 Excel JSON XML
Stig Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Classified Public Sensitive  
I - Mission Critical Classified I - Mission Critical Public I - Mission Critical Sensitive II - Mission Critical Classified II - Mission Critical Public II - Mission Critical Sensitive III - Mission Critical Classified III - Mission Critical Public III - Mission Critical Sensitive

Findings - All

Finding ID Severity Title Description
V-265493 High The NSX Tier-1 Gateway firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks. A firewall experiencing a DoS attack will not be able to handle production traffic load. The high usage and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic....
V-265500 Medium The NSX Tier-1 Gateway firewall must be configured to inspect traffic at the application layer. Application inspection enables the firewall to control traffic based on different parameters that exist within the packets such as enforcing application-specific message and field length. Inspection provides improved protection against application-based attacks by restricting the types of commands allowed for the applications. Application inspection all enforces conformance against published RFCs....
V-265496 Medium The NSX Tier-1 Gateway firewall must be configured to send traffic log entries to a central audit server. Without the ability to centrally manage the content captured in the traffic log entries, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The DOD requires centralized management of all network component audit record content. Network...
V-265494 Medium The NSX Tier-1 Gateway firewall must deny network communications traffic by default and allow network communications traffic by exception. To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. As...
V-265488 Medium The NSX Tier-1 Gateway firewall must generate traffic log entries. Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit event content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail...