NSX Manager is a restricted system and has features designed to ensure the integrity of the system and to keep the system secure.

Details of the NSX Manager security features:

  • NSX Manager supports session time-out and user logoff. NSX Manager does not support session lock. Initiating a session lock can be a function of the workstation operating system being used to access NSX Manager.

  • In NSX 3.1, NSX Manager has two local accounts: admin and audit. You cannot deactivate the local accounts or create local accounts.

  • Starting in NSX 3.1.1, there are two new guest user accounts. In the Enterprise environment, guestuser1 and guestuser2 user accounts are available. In the NSX Cloud environment, cloud_admin and cloud_audit user accounts are available. For 3.1.1 and later, the local accounts for audit and guest users are inactive by default, but you can activate or deactivate them. You cannot deactivate the admin account or create new local accounts.

  • NSX Manager enforces approved authorizations for controlling the flow of management information within the network device based on information flow control policies.

  • NSX Manager initiates session auditing upon startup.

  • NSX Manager uses its internal system clock to generate time stamps for audit records.

  • The NSX Manager user interface includes a user account, which has access rights to all resources, but does not have rights to the operating system to install software and hardware. NSX upgrade files are the only files allowed for installation. You cannot edit the rights of or delete this user.

  • All passwords in the system (databases, configuration files, log files, and so on.) get encrypted using a strong one-way hashing algorithm with a salt. During authentication, when the user enters the password it gets obfuscated. Starting in NSX 4.0, password complexity is configurable using the UI, API and CLI. Also available in this release is the ability to reset node authentication policy and password complexity configuration back to their default system settings.

  • FIPS compliance

    • NSX Manager uses FIPS 140-2 approved algorithms for authentication to a cryptographic module.

    • NSX Manager generates unique session identifiers using a FIPS 140-2 approved random number generator.

    • NSX Manager uses a FIPS 140-2 approved cryptographic algorithm to protect the confidentiality of remote maintenance and diagnostic sessions.

    • NSX Manager authenticates SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

  • NSX Manager recognizes only system-generated session identifiers and invalidates session identifiers upon administrator logout or other session termination.

  • An audit log gets generated for events such as logon, logoff, and access to resources. Each audit log contains the timestamp, source, result, and a description of the event. For more information, see Log Messages and Error Codes.