The NSX Tier-1 Gateway firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-265493 | NT1F-4X-000015 | SV-265493r994848_rule | High |
| Description |
| A firewall experiencing a DoS attack will not be able to handle production traffic load. The high usage and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource usage. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity. Satisfies: SRG-NET-000193-FW-000030, SRG-NET-000192-FW-000029, SRG-NET-000362-FW-000028 |
| STIG | Date |
| VMware NSX 4.x Tier-1 Gateway Firewall Security Technical Implementation Guide | 2024-12-20 |
Details
| Check Text (C-69410r994846_chk) |
| From the NSX Manager web interface, go to Security >> Settings >> General Settings >> Firewall >> Flood Protection to view Flood Protection profiles. If there are no Flood Protection profiles of type "Gateway", this is a finding. For each gateway flood protection profile, if TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit are set to "None", this is a finding. For each gateway flood protection profile, examine the "Applied To" field to view the Tier-1 Gateways to which it is applied. If a gateway flood protection profile is not applied to all Tier-1 Gateways through one or more policies, this is a finding. |
| Fix Text (F-69318r994847_fix) |
| To create a new Flood Protection profile, do the following: From the NSX Manager web interface, go to Security >> Settings >> General Settings >> Firewall >> Flood Protection >> Add Profile >> Add Firewall Profile. Enter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit. Configure the "Applied To" field to contain Tier-1 Gateways and then click "Save". |