You must follow multiple best practices at all times when you operate your NSX-T Edge nodes environment.
Best Practice and Configuration ID |
Description |
|---|---|
You configure the NSX-T tier-0 gateway to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
|
Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum, using a non-optimized path. For every NSX-T Tier-0 gateway, view route filters for every eBGP neighbor and ensure that the in-filter is configured with a prefix list that rejects prefixes belonging to the local AS. |
Deactivate Protocol Independent Multicast (PIM).
|
You configure the multicast NSX-T tier-0 gateway to deactivate PIM on all interfaces that are not required to support multicast routing. If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group data is permitted to flow is an important first step in improving multicast security. |
Deactivate inactive interfaces on an NSX-T Tier-0 gateway.
|
You configure the NSX-T tier-0 gateway to have all inactive interfaces deactivated. An inactive interface is rarely monitored or controlled and might expose a network to an undetected attack on that interface. If an interface is no longer used, the configuration must be deleted and the interface deactivated. For sub-interfaces, delete sub-interfaces that are on inactive interfaces and delete sub-interfaces that are inactive. |
Enforce a Quality-of-Service (QoS) policy.
|
To limit the effects of packet flooding denial-of-service attacks, you configure the NSX-T tier-0 and tier-1 gateways to enforce a Quality-of-Service policy. Ensure that mechanisms for traffic prioritization and bandwidth reservation exists. |
Disconnect inactive linked segments for NSX-T Tier-1 gateways.
|
For each segment attached to an NSX-T Tier-1 gateway that is not in use, edit the segment and set the connectivity to None. |
Ensure sufficient password strength and complexity for NSX-T Edge administrators.
|
Ensure that your organization's security policies are enforced for local NSX-T Edge users with administrative rights. |
You configure the BGP NSX-T tier-0 gateway to use a unique key for each autonomous system (AS) that it peers with.
|
If the same keys are used between eBGP neighbors, risks of compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who can know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors. For every NSX-T Tier-0 gateway, view timers and password for every external BGP (eBGP) neighbor and configure password with a unique key. |
Restrict access to the NSX-T Edge nodes in your vSphere environment.
|
Based on the principle of least privilege, use role-based access control (RBAC) to restrict access to the NSX-T Edge nodes in your vSphere environment. Inspect users with access to the NSX-T Edge nodes. Only intended administrators must have access to the nodes or be able to perform any administrative actions on these nodes. |
