NSX Manager is a restricted system and has features designed to ensure the integrity of the system and to keep the system secure.

Details of the NSX Manager security features:
  • NSX Manager supports session time-out and user logoff. NSX Manager does not support session lock. Initiating a session lock can be a function of the workstation operating system being used to access NSX Manager.
  • In NSX-T Data Center 3.1, NSX Manager has three local accounts: root, admin, and audit. The local accounts cannot be disabled. No additional local accounts can be created. Starting in NSX-T Data Center 3.1.1 there are two additional guest user accounts. For Enterprise, guestuser1 and guestuser2 are available. For Cloud environment with NSX, cloud_admin and cloud_audit users are available. The local accounts for audit and guest users are disabled by default, but can be deactivated once active, but admin and root accounts cannot be disabled. No additional local accounts can be created.
  • NSX Manager enforces approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
  • NSX Manager initiates session auditing upon startup.
  • NSX Manager uses its internal system clock to generate time stamps for audit records.
  • The NSX Manager user interface includes a user account, which has access rights to all resources, but does not have rights to the operating system to install software and hardware. NSX-T Data Center upgrade files are the only files allowed for installation. You cannot edit the rights of or delete this user.
  • All passwords in the system (databases, configuration files, log files, etc.) are encrypted using a strong one-way hashing algorithm with a salt. During authentication, the password entered by the user is always obfuscated.
  • FIPS compliance.
    • NSX Manager uses FIPS 140-2 approved algorithms for authentication to a cryptographic module.
    • NSX Manager generates unique session identifiers using a FIPS 140-2 approved random number generator.
    • NSX Manager uses a FIPS 140-2 approved cryptographic algorithm to protect the confidentiality of remote maintenance and diagnostic sessions.
    • NSX Manager authenticates SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
  • NSX Manager recognizes only system-generated session identifiers and invalidates session identifiers upon administrator logout or other session termination.
  • An audit log is generated for events such as logon, logoff, and access to resources. Each audit log contains the timestamp, source, result, and a description of the event. For more information, see Log Messages and Error Codes.