Information security and access design details the design decisions covering authentication and access controls for NSX in VMware Cloud Foundation.
NSX Federation is not within the scope of the Identity and Access Management for VMware Cloud Foundation validated solution. SDDC Manager does not manage NSX Global Managers. However, similar design decisions can apply.
Users can authenticate to NSX Manager from several sources. Role-based access control is not available with local user accounts.
-
Default local user accounts
-
Microsoft Active Directory or OpenLDAP using native LDAP integration.
-
Microsoft Active Directory or OpenLDAP using Workspace ONE Access
-
Third-party Identity Provider using Workspace ONE Access (for example, Microsoft Active Directory Federation Services)
-
Principal identity
In addition to the default roles, custom roles can be created in NSX to fulfill your organization's personas and operational requirements. You can add a new role or clone and customize an existing role. For example, you can implement mapping for Active Directory users to Active Directory security groups and then assign access based on default or custom roles in NSX.
Role |
Description |
---|---|
Enterprise Admin |
A role with full access permissions for NSX Manager networking, security, inventory, troubleshooting, and system elements using the UI or API. |
Network Admin |
A role with full access permissions for NSX Manager networking, troubleshooting, and system elements using the UI and API, but read-only for security features. |
Auditor |
A role with the read-only permissions for NSX Manager networking, security, inventory, troubleshooting, and system elements using the UI and API. |
Active Directory Integration for NSX
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-NSX-SEC-001 |
Configure Active Directory over LDAP as the authentication source for the NSX Local Managers. |
Provides integration with Active Directory for role-based access control. You can introduce authorization policies by assigning roles to Active Directory security groups. |
None. |
IAM-NSX-SEC-002 |
Assign the default Enterprise Admin role in NSX Manager to an Active Directory security group. |
By assigning the Enterprise Admin role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory. |
|
IAM-NSX-SEC-003 |
Assign the default Network Admin role in NSX Manager to an Active Directory security group. |
By assigning the Network Admin role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory. |
|
IAM-NSX-SEC-004 |
Assign the default Auditor role in NSX Manager to an Active Directory security group. |
By assigning the Auditor role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory. |
|
Password Policies for NSX
For NSX, you can enforce password policies for access to both the NSX Manager clusters and NSX Edge nodes.
Password Expiration Policy for NSX
You manage the NSX password expiration policy on a per-user basis by using the API for the built-in NSX accounts on both NSX Local Manager clusters and NSX Edge nodes. You can modify the configuration on each NSX Local Manager cluster and each NSX Edge node to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
|
90 |
Maximum number of days between password change |
Password Complexity Policy for NSX
You manage the password complexity policy by using the /etc/pam.d/common-password file on a per-node basis for the built-in NSX accounts on both NSX Manager clusters and the NSX Edge nodes. You can modify the configuration on each NSX Manager node and each NSX Edge node to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
|
-1 |
Maximum number of digits that generate a credit |
|
-1 |
Maximum number of uppercase characters that generate a credit |
|
-1 |
Maximum number of lowercase characters that generate a credit |
|
-1 |
Maximum number of other characters that generate a credit |
|
15 |
Minimum password length (number of characters) |
|
0 |
Minimum number of characters that must be different from the old password |
|
3 |
Maximum number of retries |
Account Lockout Policy for NSX
You manage the account lockout policies on a per-cluster basis for NSX Local Manager clusters and on a per-node basis for NSX Edge nodes by using authentication policies. You can configure account lockout policies for the NSX Manager user interface and API as well as the command line interface (CLI) for both NSX Local Manager clusters and NSX Edge nodes. You can modify the configuration on each NSX Local Manager cluster and each NSX Edge node to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.
Method |
Scope |
Setting |
Default |
Description |
---|---|---|---|---|
API |
NSX Local Manager |
|
5 |
Maximum number of authentication failures before the account is locked |
|
180 |
Amount of time in seconds within which failed login attempts must occur to trigger a lockout |
||
|
900 |
Amount of time in seconds that the account remains locked |
||
CLI |
|
|
5 |
Maximum number of authentication failures before the account is locked |
|
900 |
Amount of time in seconds that the account remains locked |
For more detailed information, see the Authentication Policy Settings documentation for NSX.
Design Decisions on Password Policies for NSX
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-NSX-SEC-005 |
Configure the password expiration policy for each NSX Local Manager cluster. |
|
You must manage the password expiration policy on each NSX Local Manager cluster using the CLI or an API. |
IAM-NSX-SEC-006 |
Configure the password complexity policy for each NSX Local Manager cluster node. |
You configure the password complexity policy for each NSX Local Manager cluster node to align with the requirements of your organization which might be based on industry compliance standards. |
|
IAM-NSX-SEC-007 |
Configure the account lockout policy on each NSX Local Manager cluster to configure the account lockout policy and set the lockout behavior for the API, CLI, and user interface. |
You configure the account lockout policy for each NSX Local Manager cluster to align with the requirements of your organization which might be based on industry compliance standards. |
You must manage the account lockout policy on each NSX Local Manager cluster by using the virtual appliance console. |
IAM-NSX-SEC-008 |
Configure the password expiration policy for each NSX Edge node. |
|
You must manage the password expiration policy on each NSX Edge node by using the virtual appliance console. |
IAM-NSX-SEC-009 |
Configure the password complexity policy for each NSX Edge node. |
You configure the password complexity policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards. |
|
IAM-NSX-SEC-010 |
Configure the account lockout policy on each NSX Edge node to configure the account lockout policy and set the lockout behavior for the CLI. |
You configure the account lockout policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards. |
You must manage the account lockout policy on each NSX Edge node by using the virtual appliance console. |
NSX Password Management
SDDC Manager provides the ability to perform life cycle management for all local accounts used by each NSX Local Manager cluster and each NSX Edge node in a system. Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. SDDC Manager provides the ability to rotate, update, or remediate the local accounts passwords for most of the components.
Unlike password rotation, which generates a randomized complex password, with an update, you provide the desired password for the selected account. You can initiate a password rotation or set up automated rotation schedule.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-NSX-SEC-011 |
|
|
|
IAM-NSX-SEC-012 |
|
|
|
IAM-NSX-SEC-013 |
For VMware Cloud Foundation 5.0 and earlier, for each VI workload domain NSX Local Manager cluster, change the audit account password on a recurring or event-initiated schedule by using the API or CLI. |
|
|
IAM-NSX-SEC-014 |
For each NSX Edge cluster deployed and managed by SDDC Manager, change the root, admin, and audit account passwords for each NSX Edge node on a recurring or event-initiated schedule by using SDDC Manager. |
|
|