The NSX Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

From VMware NSX Distributed Firewall Security Technical Implementation Guide

Part of SRG-NET-000202-ALG-000124

Associated with: CCI-001109

SV-83751r1_rule The NSX Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Vulnerability discussion

A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. As a managed interface, the ALG must block all inbound and outbound network communications traffic to the application being managed and controlled unless a policy filter is installed to explicitly allow the traffic. The allow policy filters must comply with the site's security policy. A deny all, permit by exception network communications traffic policy ensures that only those connections which are essential and approved, are allowed. This requirement applies to both inbound and outbound network communications traffic. All inbound and outbound traffic for which the ALG is acting as an intermediary or proxy must be denied by default.

Check content

Verify denied by default policy. Log into the vCenter web interface with credentials authorized for administration, navigate to Networking and Security >> Firewall Expand "Default Section Layer 3" in Configuration If the action for the Default Rule is "Allow", this is a finding.

Fix text

Configure the "Default Rule" to deny by default with "Block". Log into the vCenter web interface with credentials authorized for administration, navigate to Networking and Security >> Firewall Expand "Default Section Layer 3" in Configuration Expand the Action for the rule named "Default Rule" Change the action to "Block" Select "OK" Select "Publish Changes"

Pro Tips

Powered by sagemincer