Information Security and Access Design for NSX-T Data Center for a Virtual Infrastructure Workload Domain

You design authentication access, controls, and certificate management for the NSX-T Data Center instance in a VI workload domain in VMware Cloud Foundation according to industry standards and the requirements of your organization.

Identity Management

Users can authenticate to NSX Manager from several sources. Role-based access control is not available with local user accounts.

Local user accounts
Active Directory by using LDAP
Active Directory by using Workspace ONE Access
Principal identity

For more information about identity and access management, see Identity and Access Management for VMware Cloud Foundation.

Password Management and Account Lockout Behavior for NSX Manager and NSX Edge Nodes

Set passwords for the NSX-T Data Center components according to the requirements of your organization for security and compliance. Changing the passwords for the NSX-T Data Center components periodically or when certain events occur, such as an administrator leaving your organization, reduces the likelihood of security vulnerabilities.

VMware Cloud Foundation applies the default password policy for NSX-T Data Center. For more information about password management and account lockout behavior according to security best practices, see Identity and Access Management for VMware Cloud Foundation.

Password Management and Account Lockout Behavior for NSX Global Manager

The version of SDDC Manager in this design does not support password rotation for the NSX Global Manager appliances. All password change operations must be done manually.

For more information about password management and account lockout behavior according to security best practices, see Identity and Access Management for VMware Cloud Foundation.

Certificate Management

Access to all NSX Manager interfaces must use a Secure Sockets Layer (SSL) connection. By default, NSX Manager uses a self-signed SSL certificate. This certificate is not trusted by end-user devices or Web browsers.

As a best practice, replace self-signed certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA).

Table 1. Design Decisions on Certificate Management in NSX Manager
Decision ID	Design Decision	Design Implication	Design Justification
VCF-WLD-NSX-SEC-001	Replace the default self-signed certificate of the NSX Manager instance for the VI workload domain with a certificate that is signed by a third-party certificate authority.	Ensures that the communication between NSX-T Data Center administrators and the NSX Manager instance is encrypted by using a trusted certificate.	Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests.
VCF-WLD-NSX-SEC-002	Use a SHA-2 algorithm or stronger when signing certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.

Certificate Management for Multiple VMware Cloud Foundation Instances

The version of SDDC Manager in this design does not support certificate replacement for NSX Global Manager appliances. When the certificate of the NSX Local Manager cluster is replaced, you must update the thumbprint of the new certificate on the connected NSX Global Manager.

Table 2. Design Decisions on Certificate Management in NSX Global Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-NSX-SEC-FED-001	Replace the default self- signed certificate of the NSX Global Manager instance for the VI workload domain with a certificate that is signed by a third- party certificate authority.	Ensures that the communication between NSX-T Data Center administrators and the NSX Global Manager instance is encrypted by using a trusted certificate.	Replacing the default certificates with trusted CA- signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests.
VCF-WLD-NSX-SEC-FED-002	Establish an operations practice to capture and update on the NSX Global Manager the thumbprint of the NSX Local Manager certificate every time the certificate is updated by using SDDC Manager.	Ensures secured connectivity between the NSX Manager instances. Each certificate has its own unique thumbprint. The NSX Global Manager stores the unique thumbprint of the NSX Local Manager instances for enhanced security. If an authentication failure between the NSX Global Manager and NSX Local Manager occurs, objects that are created from the NSX Global Manager will not be propagated to the SDN.	The administrator must establish and follow an operational practice by using a runbook or automated process to ensure that the thumbprint up-to-date.