You must follow multiple best practices at all times when you operate your NSX-T Data Center environment.
Best Practice and Configuration ID |
Description |
|---|---|
Install security patches and updates for NSX-T Data Center.
|
You install all security patches and updates for NSX-T Data Center as soon as the update bundles are available in SDDC Manager. Do not apply patches to NSX-T Data Center manually in a VMware Cloud Foundation environment unless directed to do so by VMware Global Support. If you patch the environment without using SDDC Manager you can cause problems with automated upgrades or actions in the future. |
Use roles and privileges in NSX Manager to limit user privileges.
|
Users and service accounts must be assigned the required privileges only. You can create a new role with reduced permissions. Navigate to . Click Add role, provide a name, the required permissions, and click Save. You can reduce permissions to an existing role. Navigate to . Click the vertical ellipsis next to the target user or group, select Edit, remove the existing role, select the new role, and click Save. |
Integrate VMware Identity Manager (vIDM) or VMware Workspace ONE Access with NSX-T Data Center.
|
Use vIDM or Workspace ONE configured to meet requirements for authentication, authorization, and access control. |
Validate the integrity of the installation media, patch, or upgrade files in NSX Manager.
|
To validate the integrity of the patch or upgrade received from a vendor, verify the authenticity of the software prior to installation. This ensures the software is not tampered with and is provided by a trusted vendor. Always download VMware software from VMware secure website by using a secure connection. Verify the MD5/SHA1 hash output of the downloaded media with the value posted on the VMware secure website. MD5/SHA1 hashes must match. |
Configure NTP servers for the NSX Manager nodes and ensure NTP servers are authorized per your organization's policies.
|
Configure the NSX Manager nodes to synchronize internal system clocks by using redundant authoritative time sources. Ensure that all systems use the same relative time source (including the relevant localization offset), and that the relative time source can be correlated to an agreed-upon time standard (such as Coordinated Universal Time—UTC). This simplifies tracking and correlating the actions of an intruder when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate. |
Either use a valid TLS certificate or create a way to specify a self-signed certificate that is used for certificate pinning.
|
NSX-T Data Center admin implicitly receives the Workspace ONE Access admin token because the stored client credentials are not scoped to just RO on Workspace ONE Access. You must modify Workspace ONE Access to provide fine-grained access controls. |
Do not install or use software not supported by VMware on your NSX-T Data Center appliances.
|
To minimize the threat to infrastructure, do not install or use any software not supported by VMware. Do not add other software components to the NSX-T Data Center appliances as it is an untested configuration and could potentially interfere with the operation of the security functions they provide. |
Ensure the SFTP server directory that stores the NSX-T backup is secured with proper directory permissions and the backup user has strong password.
|
Dedicate a user for the backup directory on your SFTP server and remove access to the backup directory for all other users. Configure a single user with read and write permissions for the backup directory on your SFTP server. Set a strong password for the backup user. |
Ensure that IPv4 DNS server is authorized and secure
|
Mitigate the risk of DNS based vulnerabilities by ensuring that the IPv4 DNS servers are authorized, hardened, and secure. |
Isolate virtual network tunnel traffic.
|
To mitigate the risk of tampering with the virtual network, virtual network tunnel traffic must be separated from other traffic. The physical NIC for the virtual tunneling end point (TEP) must be on an isolated network. Physical isolation provides better security than VLAN segment isolation. |
Restrict access to the NSX Manager nodes in your vSphere environment.
|
Based on the principle of least privilege, use role-based access control (RBAC) to restrict access to the NSX-T Data Center infrastructure in your environment. Inspect users with access to the NSX Manager nodes. Only intended administrators must have access to the nodes or be able to perform any administrative actions on these nodes. |
Monitor the use of APIs.
|
NSX Manager provides management plane protection from denial of service (DoS) attacks by limiting transactions per second and concurrent transactions through the NSX REST API. There is no built-in mechanism to restrict access to the NSX REST API, API access and usage must be monitored through log aggregation. |
Monitor any possible port scan attack on NSX manager.
|
NSX manager only opens port which are required for functioning of NSX. Please look at port & protocol requirement in the Installation guide. Review activity logs for any access tried on ports not open. Have mangement network with FW policy to restrict acccess only to required ports on NSX manager appliance. |
Use SFTP for backup and restoration.
|
Do not use unecnrypted FTP for backup purposes. Ensure that you scedule regular backups and use encrypted channels to decrease the risks of data breaches. |
Harden the SFTP server used for NSX-T Data Center backups.
|
To minimize the threat of tampering or unauthorized access, use an SFTP server for NSX-T Data Center backups that is hardened, patched, and properly configured. |
Ensure that Syslog server is authorized and the configuration is appropriate.
|
After you enable log aggregation through configuring a syslog server, you must ensure that the remote syslog server is authorized and secure. Use a SIEM solution or a syslog server solution such as VMware Log Insight and configure it to securely collect NSX-T Data Center logs. |
Ensure the communication between NSX-T Data Center and your identity provider is encrypted.
|
NSX supports both the LDAP and LDAPS protocols. Uses the TLS certificate provided by LDAP server. Use an encrypted channel through LDAPS between the identity provider and NSX-T Data Center. |
