Information security and access design details the design decisions covering authentication and access controls for NSX in VMware Cloud Foundation.

Note:

NSX Federation is not within the scope of the Identity and Access Management for VMware Cloud Foundation validated solution. SDDC Manager does not manage NSX Global Managers. However, similar design decisions can apply.

Users can authenticate to NSX Manager from several sources. Role-based access control is not available with local user accounts.

  • Default local user accounts

  • Microsoft Active Directory or OpenLDAP using native LDAP integration.

  • Microsoft Active Directory or OpenLDAP using Workspace ONE Access

  • Third-party Identity Provider using Workspace ONE Access (for example, Microsoft Active Directory Federation Services)

  • Principal identity

In addition to the default roles, custom roles can be created in NSX to fulfill your organization's personas and operational requirements. You can add a new role or clone and customize an existing role. For example, you can implement mapping for Active Directory users to Active Directory security groups and then assign access based on default or custom roles in NSX.

In this solution, the following NSX Manager built-in roles are used based on the target personas.
Table 1. Default NSX Manager Roles

Role

Description

Enterprise Admin

A role with full access permissions for NSX Manager networking, security, inventory, troubleshooting, and system elements using the UI or API.

Network Admin

A role with full access permissions for NSX Manager networking, troubleshooting, and system elements using the UI and API, but read-only for security features.

Auditor

A role with the read-only permissions for NSX Manager networking, security, inventory, troubleshooting, and system elements using the UI and API.

Active Directory Integration for NSX

This solution provides design and implementation guidance on configuring NSX with Microsoft Active Directory using the native LDAP integration as the authentication source.
Table 2. Design Decisions on Identity Management in NSX

Decision ID

Design Decision

Design Justification

Design Implication

IAM-NSX-SEC-001

Configure Active Directory over LDAP as the authentication source for the NSX Local Managers.

Provides integration with Active Directory for role-based access control. You can introduce authorization policies by assigning roles to Active Directory security groups.

None.

IAM-NSX-SEC-002

Assign the default Enterprise Admin role in NSX Manager to an Active Directory security group.

By assigning the Enterprise Admin role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

IAM-NSX-SEC-003

Assign the default Network Admin role in NSX Manager to an Active Directory security group.

By assigning the Network Admin role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

IAM-NSX-SEC-004

Assign the default Auditor role in NSX Manager to an Active Directory security group.

By assigning the Auditor role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

Password Policies for NSX

For NSX, you can enforce password policies for access to both the NSX Manager clusters and NSX Edge nodes.

Password Expiration Policy for NSX

You manage the NSX password expiration policy on a per-user basis by using the API for the built-in NSX accounts on both NSX Local Manager clusters and NSX Edge nodes. You can modify the configuration on each NSX Local Manager cluster and each NSX Edge node to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 3. Default Password Expiration Policy for NSX Local Manager Clusters and NSX Edge Nodes

Setting

Default

Description

maxdays

90

Maximum number of days between password change

Password Complexity Policy for NSX

You manage the password complexity policy by using the /etc/pam.d/common-password file on a per-node basis for the built-in NSX accounts on both NSX Manager clusters and the NSX Edge nodes. You can modify the configuration on each NSX Manager node and each NSX Edge node to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 4. Default Password Complexity Policy for NSX Local Manager Clusters and NSX Edge Nodes

Setting

Default

Description

dcredit

-1

Maximum number of digits that generate a credit

ucredit

-1

Maximum number of uppercase characters that generate a credit

lcredit

-1

Maximum number of lowercase characters that generate a credit

ocredit

-1

Maximum number of other characters that generate a credit

minlen

15

Minimum password length (number of characters)

difok

0

Minimum number of characters that must be different from the old password

retry

3

Maximum number of retries

Account Lockout Policy for NSX

You manage the account lockout policies on a per-cluster basis for NSX Local Manager clusters and on a per-node basis for NSX Edge nodes by using authentication policies. You can configure account lockout policies for the NSX Manager user interface and API as well as the command line interface (CLI) for both NSX Local Manager clusters and NSX Edge nodes. You can modify the configuration on each NSX Local Manager cluster and each NSX Edge node to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 5. Default Account Lockout Policy for NSX

Method

Scope

Setting

Default

Description

API

NSX Local Manager

max-auth-failures

5

Maximum number of authentication failures before the account is locked

lockout-reset-period

180

Amount of time in seconds within which failed login attempts must occur to trigger a lockout

lockout-period

900

Amount of time in seconds that the account remains locked

CLI

  • NSX Local Manager

  • NSX Edge

max-auth-failures

5

Maximum number of authentication failures before the account is locked

lockout-period

900

Amount of time in seconds that the account remains locked

For more detailed information, see the Authentication Policy Settings documentation for NSX.

Design Decisions on Password Policies for NSX

Table 6. Design Decisions on Password Policies for NSX

Decision ID

Design Decision

Design Justification

Design Implication

IAM-NSX-SEC-005

Configure the password expiration policy for each NSX Local Manager cluster.

  • You configure the password expiration policy for NSX Local Manager cluster to align with the requirements of your organization which might be based on industry compliance standards.

  • The password expiration policy is applicable to the following default active accounts for the NSX Local Manager cluster nodes:

    • root account

    • admin account

    • audit account

You must manage the password expiration policy on each NSX Local Manager cluster using the CLI or an API.

IAM-NSX-SEC-006

Configure the password complexity policy for each NSX Local Manager cluster node.

You configure the password complexity policy for each NSX Local Manager cluster node to align with the requirements of your organization which might be based on industry compliance standards.

  • You must manage the password complexity policy on each NSX Local Manager cluster node using the virtual appliance console.

  • If the password complexity policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.

IAM-NSX-SEC-007

Configure the account lockout policy on each NSX Local Manager cluster to configure the account lockout policy and set the lockout behavior for the API, CLI, and user interface.

You configure the account lockout policy for each NSX Local Manager cluster to align with the requirements of your organization which might be based on industry compliance standards.

You must manage the account lockout policy on each NSX Local Manager cluster by using the virtual appliance console.

IAM-NSX-SEC-008

Configure the password expiration policy for each NSX Edge node.

  • You configure the password expiration policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards.

  • The password expiration policy is applicable to the following default active accounts for the NSX Edge nodes:

    • root account

    • admin account

    • audit account

You must manage the password expiration policy on each NSX Edge node by using the virtual appliance console.

IAM-NSX-SEC-009

Configure the password complexity policy for each NSX Edge node.

You configure the password complexity policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards.

  • You must manage the password complexity policy on each NSX Edge node by using the virtual appliance console.

  • If the password complexity policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.

IAM-NSX-SEC-010

Configure the account lockout policy on each NSX Edge node to configure the account lockout policy and set the lockout behavior for the CLI.

You configure the account lockout policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards.

You must manage the account lockout policy on each NSX Edge node by using the virtual appliance console.

NSX Password Management

SDDC Manager provides the ability to perform life cycle management for all local accounts used by each NSX Local Manager cluster and each NSX Edge node in a system. Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. SDDC Manager provides the ability to rotate, update, or remediate the local accounts passwords for most of the components.

Unlike password rotation, which generates a randomized complex password, with an update, you provide the desired password for the selected account. You can initiate a password rotation or set up automated rotation schedule.

For more information, see the Password Management documentation for VMware Cloud Foundation.
Table 7. Design Decisions on Password Management for NSX

Decision ID

Design Decision

Design Justification

Design Implication

IAM-NSX-SEC-011

  • For VMware Cloud Foundation 5.1 and later, for each NSX Local Manager cluster, change the root, admin, and audit account passwords on a recurring or event-initiated schedule by using SDDC Manager.
  • For VMware Cloud Foundation 5.0 and earlier, for the management domain NSX Local Manager cluster, change the root, admin, and audit account passwords on a recurring or event-initiated schedule by using SDDC Manager.

  • The passwords for the accounts for the management domain NSX Local Manager cluster expire based on the password expiration settings for each account.

  • SDDC Manager manages the management domain NSX Local Manager cluster in the system. The accounts passwords must be known and managed by SDDC Manager.

  • For VMware Cloud Foundation 5.1 and later, SDDC Manager supports the rotation of the audit account for each NSX Local Manager cluster, regardless of the domain type.
  • You must manage the password change or an automated password rotation schedule for the root, admin, and audit accounts by using SDDC Manager.

IAM-NSX-SEC-012

  • For VMware Cloud Foundation 5.0 and earlier, for each VI workload domain NSX Local Manager cluster, change the root and the admin account passwords on a recurring or event-initiated schedule by using SDDC Manager.

  • The passwords for the accounts for each VI workload domain NSX Local Manager cluster expire based on the password expiration settings for each account.

  • SDDC Manager manages each VI workload domain NSX Local Manager cluster in the system. The accounts passwords must be known and managed by SDDC Manager.

  • You must manage the password change or an automated password rotation schedule for the accounts by using SDDC Manager

  • If the authentication policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.

IAM-NSX-SEC-013

For VMware Cloud Foundation 5.0 and earlier, for each VI workload domain NSX Local Manager cluster, change the audit account password on a recurring or event-initiated schedule by using the API or CLI.

  • The password for the account for each VI workload domain NSX Local Manager cluster expires based on the password expiration settings the account.

  • SDDC Manager does not manage the workload domain NSX Local Manager cluster audit account password.

  • You must manage the password change for the account by using the API or CLI.

  • You must monitor the password expiration of the account.

IAM-NSX-SEC-014

For each NSX Edge cluster deployed and managed by SDDC Manager, change the root, admin, and audit account passwords for each NSX Edge node on a recurring or event-initiated schedule by using SDDC Manager.

  • The passwords for the accounts for each NSX Edge node in an NSX Edge cluster managed by SDDC Manager expire based on the password expiration settings for each account.

  • For each NSX Edge node in an NSX Edge cluster managed by SDDC Manager, the accounts passwords must be known and managed by SDDC Manager.

  • You must manage the password change for the accounts by using SDDC Manager.

  • If the authentication policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.