Академический Документы
Профессиональный Документы
Культура Документы
Version 2.1
Currently only below entities are covered and others are out of scope.
2.1
ut of scope.
ide recommendation
he Planes described above
commendations
cular recommendation
o find compliance state with a recommendation
t happen by following a recommendation
mendation
s the default product configuration
backup-excludes NSX Manager Backup and Restore Do not exclude audit logs and system events
from backing up.
backup-user- NSX Manager Backup and Restore Ensure that backup user has strong password
password
block-unused-ports NSX Manager Ports Block access to ports not used by NSX Manager.
disable-ssh- NSX Manager Communication Disable Secure Shell (SSH) unless needed for
manager diagnostics or troubleshooting purposes.
enable-remote- NSX Manager Logging Configure remote logging for NSX manager.
syslog
ensure-valid- NSX Manager Certificates Ensure that the NSX manager certificate is valid
certificates and legitimate.
limit-user-role NSX Manager User Administration Utilize roles and privileges within NSX manager
to limit user privileges.
limit-user-scope NSX Manager User Administration Define Access Scope for NSX manager users.
restrict-nsx-va- VMware vSphere NSX Manager VA Restrict access to NSX Manager Virtual
access Appliance in VMware vSphere Environment.
secure-backup-dir NSX Manager Backup and Restore Ensure that the backup directory is secured.
secure-dns-server NSX Manager Network Ensure that IPv4 DNS is authorized and secure.
secure-sftp-server NSX Manager Backup and Restore Ensure that the SFTP server on which backup is
done is hardened as appropriate
secure-syslog-server NSX Manager Logging Ensure that Syslog server is authorized and the
configuration is appropriate.
use-sftp NSX Manager Backup and Restore Use SFTP for backup and restoration.
verify-install-media NSX Manager Installation Verify integrity of installation media before
installing the product.
Vulnerability Discussion Assessment Procedure
Audit logs and system events carry important Follow below steps to assess this recommendation:
information that might be needed in future for
tracking the events or for accountability and 1) Log on to NSX Manager Virtual Appliance
security reasons. It is important to safeguard 2) Go to "Manage" --> "Backup & Restore"
these
Ensurelogs
thatand
thethus
SFTPshould
serverbe regularly
backup backed
account 3) Under
Assess the"Backup
backup&user
Restore",
on theverify that quality
password "Audit Logs"
and and
up to be preserved for future.
credentials are secured. Use strong passwords "System
ensure that the passwords meet required complexityare
Events" are not excluded (By DEFAULT they as
for backup user. NOT Excluded)
defined in your local site policy.
Blocking unneeded ports can prevent general Verify that only ports listed in the "Reference" section in
attacks on those ports and thus reduce attack this sheet are open on NSX Manager.
surface.
IPv6 is the next version of the Internet Follow below steps to assess this recommendation:
protocol, but it is not widely used. Binding this
protocol to the 1) Log on to NSX Manager Virtual Appliance
network stack increases the attack surface. 2) Go to "Manage" --> "Network"
Until needed, IPv6 should be disabled. 3) Under "General network settings", verify IPv6 is not
configured
If you are not using IPv6 within your Follow below steps to assess this recommendation:
environment, there is no good reason why IPv6
DNS should be configured. Having unnecessary 1) Log on to NSX Manager Virtual Appliance
services running in the environment, increases 2) Go to "Manage" --> "Network"
the attack surface. Unless needed, IPv6 DNS 3) Under "DNS Servers", verify IPv6 DNS is not configured
should be disabled.
Secure Shell (SSH) is an interactive command Try opening a connection via SSH to NSX Manager. If the
line environment available for making remote connection opens requesting for credentials, this means
connections to NSX manager. Access via SSH SSH is enabled and is available for making connections.
requires the root or higher privileged user
account credentials. The activities performed Alternatively, login to NSX Manager virtual appliance and
from the SSH generally bypass NSX for vSphere go to "Summary" tab. Under "System-level components",
based RBAC and audit controls. Thus, SSH "SSH Service" status should be "Stopped".
should only be turned on when needed to
troubleshoot/resolve
By ensuring that all systems problemsusethat cannot be Follow below steps to assess this recommendation:
the same
fixed via other procedures.
relative time source (including the relevant
localization offset), and that the relative time 1) Log on to NSX Manager Virtual Appliance
source can be correlated to an agreed-upon 2) Go to "Manage" --> "General"
time standard (such as Coordinated Universal 3) Under "Time Settings", verify that "NTP Server" are
Time—UTC), you can make it simpler to track authorized and trusted. It is recommended to use the
and correlate an intruder’s actions when same NTP server used by the SSO server.
Remote
reviewing logging to a central
the relevant log host
log files. provides
Incorrect timea Follow below steps to assess this recommendation:
secure,
settingscentralized
can make itstore for NSX
difficult logs. This
to inspect and
mitigates
correlate logthefiles
riskstoagainst
detectlog tampering
attacks, and canon the 1) Log on to NSX Manager Virtual Appliance
local
makesystem.
auditingAlso, by gathering log files onto a 2) Go to "Manage" --> "General"
inaccurate.
central host you can more easily monitor the 3) Verify syslog server configuration
environment with a single tool. You can also do
aggregate
By ensuring analysis
that the andSSLsearching
certificates to look
usedforare Follow below steps to assess this recommendation:
such
valid things as coordinated
and legitimate attacks that
would ensure on multiple
the
entities withinofthe
proper chain infrastructure.
trust is established. Logging to a 1) Log on to NSX Manager Virtual Appliance
Also note
secure,
that thecentralized log server
default certificate also helps
algorithm is RSA 2) Go to "Manage" --> "SSL Certificates"
prevent
with log tampering
a minimum key sizeandofalso
2048provides
bits. a 3) Click on the certificate and verify certificate details.
long-term audit record.
NSX for vSphere relies on a secure VMware Assess the VMware vSphere environment and ensure that
vSphere environment to achieve the greatest the an appropriate level of VMware vSphere hardening
benefits along with a secured infrastructure. guide is enforced and maintained.
VMware vSphere environment that is not
hardened appropriately can jeopardize the
working of NSX for vSphere.
VMware releases security advisories for Assess the NSX for vSphere installation, patching and
various products time to time. Staying on top upgrade history and ensure that the released VMware
of these advisories can ensure that you have Security Advisories are followed and enforced.
the safest underlying product and the product
is not vulnerable to known threats.
Assigning a higher level privilege than needed Follow below steps to assess this recommendation:
to carry out the job in hand violates "Need to
Know" security principle. NSX manager 1) Login to VMware vSphere Web Client
provides roles designed for carrying out 2) Navigate to "Networking and Security" -> "NSX
specific tasks such as auditing, security Manager"
administration, NSX deployment 3) Choose the NSX manager instance and click on
administration and NSX configuration. Utilize "Manage" tab
these roles and assign them to specific user 4) Click on "Users" tab to get user list
accounts as appropriate. 5) Verify that the user account and assigned role is
legitimate.
Assigning access to entities other than needed Follow below steps to assess this recommendation:
to carry out the job in hand violates "Need to
Know" security principle. NSX manager 1) Login to VMware vSphere Web Client
provides access scope restriction options to 2) Navigate to "Networking and Security" -> "NSX
limit the entities a user with specific role can Manager"
access. Utilize this feature to correctly assign 3) Choose the NSX manager instance and click on
the access scope to specific user accounts as "Manage" tab
appropriate. 4) Click on "Users" tab to get user list
5) Verify that the user account and access scope is
legitimate.
As of now, there is no built-in mechanism to Follow below steps to assess this recommendation:
restrict the usage of REST APIs. But, such usage
should be monitored from logs and ensure 1) Log in to the VMware vSphere Web Client
that the API usage is granted and approved by 2) Navigate to NSX manager instance
your local site policy. 3) Click on "Monitor"
4) Review entries under "Audit Logs", "System Events" and
"Tasks"
-OR-
Use a log management product such as VMware Log
Insight to monitor these logs and generate appropriate
warnings as needed.
Installing any un-supported/un-tested/un- Assess the NSX for vSphere deployment and try
approved software on infrastructure products inventorying various products installed. Ensure that no
such as NSX for vSphere as this can spell unsupported software is installed.
disaster. It is highly recommended to not
install/use any software not supported by
VMware to minimize the threat to
infrastructure. Do not add other software
components to the NSX for vSphere appliances
as it is an untested configuration and could
Minimal
potentiallypassword
interferecomplexity is enforced
with the operation of the Assess the administrator on the password quality and
when
securitya user creates/changes
functions a password for
they provide. ensure that the passwords meet required complexity as
NSX Web UI. This allows room for setting weak defined in your local site policy.
passwords, which makes it more likely that
attacks against user credentials will be
successful.
The NSX Manager should not be on a network Assess the deployment and try to reach NSX manager
accessible to standard virtual machine network being on standard network. NSX manager should only be
or management network in general. Any reachable using isolation mechanisms.
compromise on NSX manager could potentially
lead to communicating with hypervisors
directly.
Users having access to NSX manager VA in Login to VMware vSphere environment and inspect which
VMware vSphere environment could users have access permissions to NSX manager VA. No
Use network
potentially access
cause control
harm such as firewalls
by intentionally or to user other than the intended administrator should have
prevent unauthorized
unintentionally accesspower
performing to NSX manager. access to the VA or be able to carry out any administrative
Another way to restrict access might be to only actions on that VA.
off/suspend/migrate or other administrative
allow TCP/443
functions. from a secure
It is important thatJumphost
the NSX manager
management
VA station. using user access
access is protected
controls or separating / isolating the NSX
manager environment.
It is important to ensure that the directory Login to the SFTP server and navigate to backup directory.
where the NSX for vSphere backup is stored on Ensure that the backup directory cannot be read or
the SFTP server is secured with proper written to by the user other than backup user.
directory permissions. Do not grant read or
write permissions for anyone else other than
the backup user account.
By ensuring that the IPv4 DNS servers are Follow below steps to assess this recommendation:
authorized and secure would mitigate the risks
against DNS based vulnerabilities. Also, ensure 1) Log on to NSX Manager Virtual Appliance
that the DNS server is hardened based on the 2) Go to "Manage" --> "Network"
best practice guidelines. 3) Under "General network settings", verify IPv4 DNS is
authorized and secure.
It is as important to harden the SFTP server as Audit the SFTP server and ensure that it is hardened with
to use SFTP for backup and restoration instead general best practices and guidelines for FTP server
of insecure FTP. Hardening the SFTP server on hardening.
which backup is done would ensure that
common threats and vulnerabilities can be
mitigated. Unhardened or exposed server
might lead to breaking into the server and
compromising important data.
This recommendation goes hand-in-hand with Follow below steps to assess this recommendation:
the recommendation to enable remote syslog.
Ensuring that the remote Syslog server is 1) Log on to NSX Manager Virtual Appliance
authorized and secure is very important. Use a 2) Go to "Manage" --> "General"
SIEM solution or a syslog server solution such 3) Verify Syslog Server configuration
as VMware Log Insight and configure it to
collect the NSX logs securely.
Do not use insecure FTP for backup and Follow below steps to assess this recommendation:
restoration. FTP is typically unencrypted and
presents confidentiality and integrity risks. 1) Log on to NSX Manager Virtual Appliance
Backup and restoration procedures involve 2) Go to "Manage" --> "Backup & Restore"
secure data and hence unencrypted FTP 3) Under "Backup & Restore", verify "FTP Server settings"
should not be used.
Always download VMware software from After downloading the media use the MD5/SHA1 sum
VMware Secure website using an https value to verify the integrity of the download. Compare the
connection. Always check the SHA1 hash after MD5/SHA1 hash output with the value posted on the
downloading the bits, offline bundle, or patch VMware secure website.
to ensure integrity and authenticity of the
downloaded files. If you obtain physical media
from VMware and the security seal is broken,
return the software to VMware for a
replacement.
Word of Caution Desired Value Is the setting default?
If you are already sending the audit Audit logs and System events are not Yes
and system logs to remote logging excluded
server via syslog, do not include those
same audit and system logs whenever
aNAbackup is performed to the specified Strong passwords as defined in your local No
SFTP target. It would be needlessly site policy
redundant, and the backups containing
those logs can be pretty big.
NA 1) Appropriate Issuer No
2) Correct certificate Type
3) RSA Algorithm
4) 2048 bits keys or higher
NA NA No
NA NA No
NA NA No
NA NA No
NA NA No
NA NA No
NA NA No
NA NA No
NA NA No
NA NA No
NA SHA1 or MD5 hash should match No
API Reference
https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-2A75A102-518D
ip>/api/1.0/appliance-
management/backuprestore/
backupsettings
https://<nsxmgr- NA
ip>/api/1.0/appliance-
management/backuprestore/
backupsettings
NA http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-E7C4E61C-1F36-
https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-2A75A102-518D
ip>/api/1.0/appliance-
management/system/network
https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-2287ACAA-C1B6
ip>/api/1.0/appliance-
management/system/network
http://pubs.vmware.com/NSX-
6/topic/com.vmware.nsx.install
.doc/GUID-F4161963-B338-
https://<nsx-manager- 477D-9D2F-
ip>/api/1.0/appliance- 147DF26680F0.html
management/components/co
mponent/SSH/ to check the
status
https://<nsxmgr- http://www.pool.ntp.org/en/
ip>/api/1.0/appliance-
management/system/timese
ttings
https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.install.doc/GUID-CFB0DC96-C329-
ip>/api/1.0/appliance-
management/system/syslogse
rver
https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-75E20224-AE0D-
ip>/api/1.0/appliance-
management/certificatemana
ger/certificates/nsx
NA http://www.vmware.com/security/hardening-guides.html
https://<nsxmgr- http://www.vmware.com/security/advisories/
ip>/api/1.0/appliance-
management/global/info
https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-049478CE-681F-
ip>/api/2.0/services/usermgm
t/role/<userId>
https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-79F9067D-2F29-
ip>/api/2.0/services/usermgm
t/role/<userId>
https://<vsm- NA
ip>/api/2.0/systemevent?
startIndex=0\&pageSize=10
https://<nsxmgr- https://www.vmware.com/sup
ip>/api/1.0/appliance- port/policies/thirdparty.html
management/components
https://<nsxmgr-
ip>/api/1.0/appliance-
management/notifications
https://<nsxmgr-
NA
ip>/api/2.0/logging/auditlog? NA
startIndex=0\&pageSize=10
NA NA
NA https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.vsphere.security.doc/GUID-3F7F
https://<nsxmgr- NA
ip>/api/1.0/appliance-
management/backuprestore/
backupsettings
https://<nsxmgr-
ip>/api/1.0/appliance-
management/system/network
https://<nsxmgr- http://www.giac.org/paper/gsec/3581/creating-secure-inter-company-file-transfer-system/1058
ip>/api/1.0/appliance-
management/backuprestore/
backupsettings
https://<nsxmgr- http://blogs.vmware.com/management/2013/09/log-insight-remote-syslog-architectures.html
ip>/api/1.0/appliance-
management/system/syslogse
rver
https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-79F9067D-2F29-
ip>/api/1.0/appliance-
management/backuprestore/
backupsettings
NA http://kb.vmware.com/kb/1537
ID Component Subcomponent Title
block-unused-ports NSX Controller Ports Block access to ports not used
by NSX Controller.
Secure Shell (SSH) is an interactive command line Try opening a connection via SSH to NSX
environment available for making remote Controller. If the connection opens requesting for
connections to NSX Controller. Access via SSH credentials, this means SSH is enabled and is
requires the root or higher privileged user account available for making connections.
credentials. The activities performed from the SSH
generally bypass NSX based RBAC and audit controls.
Thus, SSH should only be turned on when needed to
troubleshoot/resolve problems that cannot be fixed
via other procedures.
Controller network should be secured. By default, Ensure that the controller network is deployed on
IPSec is enabled between the controllers for NSX. a network that is not configured for or connected
However, isolating the controller network provides to other types of traffic.
additional layer of security that may help prevent
confidentiality, Integrity, and availability attacks.
Controller network should be secured. By default, Ensure that the controller network is secured.
IPSec is enabled between the controllers for NSX. Run Rest API call to get the properties of the
controller node and verify that ipSecEnabled
element is true.
https://<nsxmgr>/api/2.0/vdn/controller/node
Response:
<controllerNodeConfig>
<ipSecEnabled>true</ipSecEnabled >
</controllerNodeConfig>
Users having access to NSX Controller VA in VMware Login to VMware vSphere environment and
vSphere environment could potentially cause harm inspect which users have access permissions to
by intentionally or unintentionally performing power NSX Controller VA. No user other than the
off/suspend/migrate or other administrative intended administrator should have access to the
functions. It is important that the NSX Controller VA VA or be able to carry out any administrative
access is protected using user access controls or actions on that VA.
separating / isolating the NSX Controller
environment.
Word of Caution Desired Value Is the setting default?
NA Only needed ports should be open No
NA NA NA
NA NA No
API Reference
NA http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-E7C4E61C-1F36-
NA NA
To disable IPSec : NA
https://<nsxmgrip>/api/2.0/vd
n/controller/node
NA https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.vsphere.security.doc/GUID-3F7F
ID Component Subcomponent Title
block-unused-ports Various Ports Block access to ports not used on data
plane.
disable-ssh-gateway NSX Edge Edge Service Disable Secure Shell (SSH) unless
Gateway needed for diagnostics or
troubleshooting purposes.
disable-ssh-router NSX Edge Edge Logical Router Disable Secure Shell (SSH) unless
needed for diagnostics or
troubleshooting purposes.
enable-md5 NSX Edge Edge Logical Router Enable in-protocol MD5 authentication
for OSPF and BGP.
reject-forged-transmit- NSX vSwitch vSphere Distributed Ensure that the “Forged Transmits”
dvportgroup Switch policy is set to reject.
reject-mac-change- NSX vSwitch vSphere Distributed Ensure that the “MAC Address
dvportgroup Switch Change” policy is set to reject.
reject-promiscuous-mode- NSX vSwitch vSphere Distributed Ensure that the “Promiscuous Mode”
dvportgroup Switch policy is set to reject.
Try opening a connection via SSH to NSX edge service If you need to use SSH, set the thumbprint a
gateway. If the connection opens requesting for single time at the client, and always reuse the
credentials, this means SSH is enabled and is available for same client to connect. If prompted for initial
making connections. connection approval later from the same client,
don't connect.
Try opening a connection via SSH to NSX distributed If you need to use SSH, set the thumbprint a
logical router. If the connection opens requesting for single time at the client, and always use the
credentials, this means SSH is enabled and is available for same client to connect. If prompted for initial
making connections. connection approval later from the same client,
don't connect.
Use the protocol commands to find out if the NA
Also, firewall the SSH port (Port 22) on all edge
authentication is enabled. interfaces except the one to the control plane.
Wherever possible, consider using VMware
If the commands return vSphere Web Client over SSH.
Null Authentication—This is also called Type 0 and it
means no authentication information is included in the
packet header. It is the default.
Also ensure that backing data stores have the same level
of security as for SFTP backup servers.
Thoroughly review the deployment and ensure that the NA
virtual network
Use local is isolated.
disk storage as a last resort for NSX Manager.
Verify by using the vSphere Web Client to connect to the There are 2 load balancing options when
vCenter Server and as administrator: configuring VXLAN networking:
1. Go to "Home > Inventory > Networking".
2. Select "DSwitch" for distributed portgroups. Load Balance - SRCID
3. Select each dvPortgroup connected to active VM's Load Balance - SRCMAC
requiring securing.
4. Go to tab "Summary > Edit Settings > Policies > SRCMAC option requires forged transmit policy
Security". to "accept" where as SRCID option does not
5. Set the Forged transmits value to "Reject" require forged transmit policy to "accept".
Verify by using the vSphere Web Client to connect to the This setting might break Microsoft Clustering
vCenter Server and as administrator: and L2 Bridging.
1. Go to "Home > Inventory > Networking".
2. Select "DSwitch" for distributed portgroups.
3. Select each dvPortgroup connected to active VM's
requiring securing.
4. Go to tab "Summary > Edit Settings > Policies >
Security".
5. "Mac Address Changes" = "Reject"
Verify by using the vSphere Web Client to connect to the NA
vCenter Server and as administrator:
1. Go to "Home > Inventory > Networking".
2. Select "DSwitch" for distributed portgroups.
3. Select each dvPortgroup connected to active VM's
requiring securing.
4. Go to tab "Summary > Edit Settings > Policies >
Security".
5. "Promiscuous Mode" = "Reject"
NA No NA
NA No NA
Strong passwords as defined No NA
in your local site policy
NA Yes https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssd
NA Yes https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssd
NA Yes https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssd
NA No NA
NA No https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssd
NA No https://<vsm-
ip>/api/4.0/edges/<edgeId>/lo
adbalancer/config
Reference
http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-E7C4E61C-1F36-457C-ACC5-EAF955C46E8B.htm
http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.install.doc/GUID-1EA25D37-F1C7-45C8-AEBA-A555ACC972BC.htm
http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.install.doc/GUID-1EA25D37-F1C7-45C8-AEBA-A555ACC972BC.htm
http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-EF251ED4-5BCA-43D5-9C01-975601EACF1E.htm
http://www.safenet-inc.com/data-protection/virtualization-cloud-security/protectv-cloud-data-protection/
https://communities.vmware.com/docs/DOC-27683
NA
http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-9EBB38F3-BE2C-4C15-BA49-879DBBE6F2F0.htm
http://www.vmware.com/files/pdf/p
roducts/nsx/vmware-nsx-on-cisco-
n7kucs-design-guide.pdf
http://www.vmware.com/security/h
ardening-guides.html
http://www.vmware.com/security/h
ardening-guides.html
http://www.vmware.com/security/h
ardening-guides.html
https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.vsphere.security.doc/GUID-6C181D08-6650-4AD1-92D1-AAFDA
No
http://www.vmware.com/files/pdf/p
roducts/nsx/vmware-nsx-on-cisco-
n7kucs-design-guide.pdf
http://www.vmware.com/security/h
ardening-guides.html
Date Change
28-Mar-17 First version based on NSX version 6.3 and vSphere 6.5. Renamed Security Configruati
10-Jun-16 Update VTEP default port to 4789 for NSXv 6.2.3
2--Apr-16 Port information table in Appendix
9-Apr-15 Removed Draft and Internal and added version number in the document
23-Feb-15 Updated Appendix for host prep ports between ESXi and vCenter
15-Oct-14 Control Plane > isolate-controller-network
8-Oct-14 Port information table in Appendix
8-Oct-14 Added acknowledgement
6-Oct-14 Management Plane > secure-dns-server
6-Oct-14 Management Plane > secure-syslog-server
6-Oct-14 Control Plane > utilize-vlan
6-Oct-14 Data Plane > isolate-vxlan
6-Oct-14 Data Plane > disable-ssh-router
6-Oct-14 Data Plane > enable-md5
6-Oct-14 Data Plane > password-complexity-er
22-Sep-14 Management Plane > backup-excludes
19-Sep-14 Management Plane
19-Sep-14 Control Plane
19-Sep-14 Data Plane
19-Sep-14 Doc. Info > How to read this hardening guide
19-Sep-14 Management Plane > disable-ssh-manager
19-Sep-14 Management Plane > verify-install-media
19-Sep-14 Control Plane > isolate-controller-network
19-Sep-14 Control Plane > disable-ssh-controller
19-Sep-14 Management Plane > disable-ipv6
19-Sep-14 Management Plane > disable-ipv6-dns
19-Sep-14 Data Plane > disable-ssh-gateway
19-Sep-14 Data Plane > disable-ssh-router
19-Sep-14 Data Plane > reject-forged-transmit-dvportgroup
19-Sep-14 Data Plane > reject-mac-change-dvportgroup
19-Sep-14 Data Plane > reject-promiscuous-mode-dvportgroup
19-Sep-14 Appendix > Ports 2878, 2888, 3888 > Purpose
19-Sep-14 Appendix > Csync
19-Sep-14 Appendix > Rest Client to NSX Controller
19-Sep-14 Data Plane > disable-ssh-router
19-Sep-14 Data Plane > enable-md5-dlr
19-Sep-14 Data Plane > enable-md5
19-Sep-14 Data Plane > password-complexity-dlr
19-Sep-14 Data Plane > password-complexity-dlr
19-Sep-14 Data Plane > password-complexity-er
19-Sep-14 Data Plane > reject-forged-transmit-dvportgroup
19-Sep-14 Data Plane > reject-mac-change-dvportgroup
19-Sep-14 Data Plane > reject-promiscuous-mode-dvportgroup
19-Sep-14 Data Plane > reject-mac-change-dvportgroup
19-Sep-14 Data Plane > reject-promiscuous-mode-dvportgroup
19-Sep-14 Data Plane > isolate-vxlan
19-Sep-14 Data Plane > isolate-storage-network
19-Sep-14 Data Plane > disable-ssh-gateway
19-Sep-14 Data Plane > default-firewall-rules
19-Sep-14 Doc. Info > Acknowledgement
19-Sep-14 Data Plane > restrict-vds-access
28-Aug-14 Data Plane > isolate-vxlan
28-Aug-14 Data Plane > isolate-vxlan
28-Aug-14 Data Plane > disable-ssh-router
28-Aug-14 Data Plane > disable-ssh-gateway
28-Aug-14 Management Plane > disable-ssh-manager
28-Aug-14 Control Plane > disable-ssh-controller
28-Aug-14 Control Plane > isolate-controller-network
28-Aug-14 Doc. Info Sheet
28-Aug-14 Control Plane > use-vpn-technology
28-Aug-14 Control Plane > isolate-controller-network
21-Aug-14 Data Plane > accept-forged-transmit-dvportgroup
21-Aug-14 Data Plane > accept-forged-transmit-dvportgroup
21-Aug-14 Data Plane > use-srcid-lb-option
20-Aug-14 Added "Acknowledgment" section in Doc. Info sheet
20-Aug-14 Management Plane > harden-vsphere-environment
20-Aug-14 Management Plane > disable-ssh-manager
20-Aug-14 Management Plane > restrict-nsx-access
20-Aug-14 Management Plane > restrict-nsx-va-access
20-Aug-14 Control Plane > restrict-nsx-va-access
20-Aug-14 Data Plane > restrict-nsx-va-access
20-Aug-14 Management Plane > limit-user-role
20-Aug-14 Management Plane > limit-user-scope
20-Aug-14 block-unused-ports in all the planes
20-Aug-14 isolate-vxlan
20-Aug-14 Control Plane > disable-ssh-controller
20-Aug-14 Doc. Info > Management Plane Components
20-Aug-14 Doc. Info > Control Plane Components
20-Aug-14 Doc. Info > Data Plane Components
20-Aug-14 Doc. Info > Data Plane Components
20-Aug-14 Data Plane > default-firewall-rules
20-Aug-14 Data Plane > disable-ssh-edge
20-Aug-14 Data Plane > enable-md5-dlr
20-Aug-14 Data Plane > password-complexity-dlr
20-Aug-14 Data Plane > disable-ssh-edge
20-Aug-14 Data Plane > disable-ssh-gateway
20-Aug-14 Data Plane > disable-ssh-router
20-Aug-14 Data Plane > disable-ssh-router
20-Aug-14 Data Plane > accept-forged-transmit
20-Aug-14 Data Plane > reject-mac-changes
20-Aug-14 Data Plane > reject-promiscuous-mode
20-Aug-14 Data Plane > no-non-hypervisors
20-Aug-14 Data Plane > enable-md5-dlr
20-Aug-14 Data Plane > password-complexity-dlr
20-Aug-14 Data Plane > accept-forged-transmit-dvportgroup
19-Aug-14 Added a worksheet named "Appendix"
19-Aug-14 Added "Ports and protocols required by NSX for vSphere" Table
19-Aug-14 Management Plane > block-unused-ports
19-Aug-14 Control Plane > block-unused-ports
19-Aug-14 Data Plane > block-unused-ports
14-Aug-14 Whole book
10-Aug-14 Management Plane > change-default-password --> Removed
10-Aug-14 Management Plane > ensure-valid-certificates --> Title
10-Aug-14 Management Plane > no-unsupported-software --> Subcomponent
10-Aug-14 Management Plane > no-unsupported-software --> Vulnerability Discussion
10-Aug-14 Management Plane > password-complexity-webui --> Vulnerability Discussion
10-Aug-14 Management Plane > verify-install-media --> Vulnerability Discussion
10-Aug-14 Management Plane > verify-install-media --> Assessment Procedures
10-Aug-14 Control Plane > disable-ssh-controller --> Word of Caution
10-Aug-14 Control Plane > disable-ssh-router --> Word of Caution
10-Aug-14 Data Plane > disable-ssh-edge --> Vulnerability discussion
10-Aug-14 Data Plane > isolate-storage-network --> Reference
10-Aug-14 Data Plane > isolate-storage-network --> Assessment Procedure
10-Aug-14 Data Plane > no-non-hypervisors --> Vulnerability Discussion
10-Aug-14 Data Plane > no-non-hypervisors --> Assessment Procedures
10-Aug-14 Data Plane > rabbitmq-server-certificate --> Removed
10-Aug-14 Data Plane > reject-forged-transmits --> ID
10-Aug-14 Data Plane > reject-forged-transmits --> Title
10-Aug-14 Data Plane > reject-forged-transmits --> Vulnerability Discussion
10-Aug-14 Data Plane > reject-forged-transmits --> Assessment Procedure
10-Aug-14 Data Plane > reject-forged-transmit-dvportgroups --> ID
10-Aug-14 Data Plane > reject-forged-transmit-dvportgroups --> Title
10-Aug-14 Data Plane > reject-forged-transmit-dvportgroups --> Vulnerability Discussion
10-Aug-14 Data Plane > reject-forged-transmit-dvportgroups --> Assessment Procedure
10-Aug-14 Control Plane > isolate-controller-network
10-Aug-14 Control Plane > isolate-vxlan
10-Aug-14 Control Plane > utilize-vlan
10-Aug-14 Control Plane > use-vpn-technology
1-Aug-14 Made various minor verbatim changes
1-Aug-14 Deleted the column "Configuration File"
1-Aug-14 Deleted the column "Configuration Parameters"
1-Aug-14 Added the column "Word of Caution"
1-Aug-14 Added the cautionary warning for some recommendations
1-Aug-14 Added REST API references
Comments