| V-265390 | | The NSX Tier-0 Gateway router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing. | If multicast traffic is forwarded beyond the intended boundary, it could be intercepted by unauthorized or unintended personnel. Limiting where within... |
| V-265393 | | The NSX Tier-0 Gateway router must be configured to have all inactive interfaces removed. | An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. Unauthorized personnel wit... |
| V-265406 | | The NSX Tier-0 Gateway router must be configured to use encryption for Open Shortest Path First (OSPF) routing protocol authentication. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destinatio... |
| V-265428 | | The NSX Tier-0 Gateway router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF). | A malicious platform can use a compromised host in an enclave to launch cyberattacks on third parties. This is a common practice in "botnets", which a... |
| V-265431 | | The NSX Tier-0 Gateway router must be configured to implement message authentication for all control plane protocols. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or a rogue destination. Th... |
| V-265485 | | The NSX Tier-0 Gateway router must be configured to use encryption for border gateway protocol (BGP) routing protocol authentication. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destinatio... |
| V-265432 | | The NSX Tier-0 Gateway must be configured to use a unique password for each autonomous system (AS) with which it peers. | If the same keys are used between External Border Gateway Protocol (eBGP) neighbors, the chance of a hacker compromising any of the BGP sessions incre... |
| V-265441 | | The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wid... |
| V-265442 | | The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wid... |
| V-265443 | | The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wid... |
| V-265444 | | The NSX Tier-0 Gateway router must be configured to use the Border Gateway Protocol (BGP) maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks. | The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traff... |
| V-265404 | | The NSX Tier-0 Gateway router must be configured to have the Dynamic Host Configuration Protocol (DHCP) service disabled if not in use. | A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimete... |
| V-265468 | | The NSX Tier-0 Gateway router must be configured to use its loopback address as the source address for Internal Border Gateway Protocol (IBGP) peering sessions. | Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of the Border Gateway Prot... |
| V-265479 | | The NSX Tier-0 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments. | The Neighbor Discovery (ND) protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instea... |
| V-265483 | | The NSX Tier-0 Gateway router must be configured to have routing protocols disabled if not in use. | A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimete... |
| V-265484 | | The NSX Tier-0 Gateway router must be configured to have multicast disabled if not in use. | A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimete... |
