| V-251744 | | The NSX-T Tier-0 Gateway must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). | Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized pat... |
| V-251745 | | The NSX-T Tier-0 Gateway must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing. | If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Lim... |
| V-251748 | | The NSX-T Tier-0 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to... |
| V-251751 | | The NSX-T Tier-0 Gateway must be configured to implement message authentication for all control plane protocols. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destinatio... |
| V-251752 | | The NSX-T Tier-0 Gateway must be configured to use a unique key for each autonomous system (AS) with which it peers. | If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicio... |
| V-251753 | | The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wid... |
| V-251754 | | The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wid... |
| V-251755 | | The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wid... |
| V-251756 | | The NSX-T Tier-0 Gateway must be configured to use the BGP maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks. | The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traff... |
| V-251746 | | The NSX-T Tier-0 Gateway must be configured to have all inactive interfaces removed. | An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface.
If an interface is no lon... |
| V-251747 | | The NSX-T Tier-0 Gateway must be configured to have the DHCP service disabled if not in use. | A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimete... |
| V-251757 | | The NSX-T Tier-0 Gateway must be configured to use its loopback address as the source address for iBGP peering sessions. | Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of the BGP routers. It is ... |
| V-251758 | | The NSX-T Tier-0 Gateway must be configured to have routing protocols disabled if not in use. | A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimete... |
| V-251759 | | The NSX-T Tier-0 Gateway must be configured to have multicast disabled if not in use. | A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimete... |
| V-251749 | | The NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself. | The route processor handles traffic destined to the router, the key component used to build forwarding paths, and is also instrumental with all networ... |
| V-251750 | | Unicast Reverse Path Forwarding (uRPF) must be enabled on the NSX-T Tier-0 Gateway. | A compromised host in an enclave can be used by a malicious platform to launch cyber attacks on third parties. This is a common practice in "botnets",... |
