VMware NSX-T Distributed Firewall Security Technical Implementation Guide
Overview
| Version | Date | Finding Count (7) | Downloads | ||
| V1R3 | 2023-06-23 | CAT I (High): 0 | CAT II (Medium): 6 | CAT III (Low): 1 | |
| STIG Description |
| This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. |
Findings - All
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-251727 | The NSX-T Distributed Firewall must generate traffic log entries containing information to establish the details of the event. | Without sufficient information to analyze the event, it would be difficult to establish, correlate, and investigate the events leading up to an outage... | |
| V-251728 | The NSX-T Distributed Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints. | DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performanc... | |
| V-251730 | The NSX-T Distributed Firewall must be configured to send traffic log entries to a central audit server for management and configuration of the traffic log entries. | Without the ability to centrally manage the content captured in the traffic log entries, identification, troubleshooting, and correlation of suspiciou... | |
| V-251731 | The NSX-T Distributed Firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning. | Not configuring a key boundary security protection device, such as the firewall, against commonly known attacks is an immediate threat to the protecte... | |
| V-251732 | The NSX-T Distributed Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes. | SpoofGuard helps prevent a form of malicious attack called "web spoofing" or "phishing." A SpoofGuard policy blocks traffic determined to be spoofed. ... | |
| V-251733 | The NSX-T Distributed Firewall must verify time-based firewall rules. | With time windows, security administrators can restrict traffic from a source or to a destination, for a specific time period. Time windows apply to ... | |
| V-251729 | The NSX-T Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such ... |