dutsnekcirf
Contributor
Contributor

Any experience with "SDN Using NV" STIG?

I've been put in a position where I need to test a particular deployment of VMware NSX against DISA's "SDN using NV" STIG.  I've had no problem going through the "VMware NSX Distributed Firewall", "VMware NSX Distributed Logical Router", and "VMware NSX Manager" STIGS.  These ones weren't too bad since they provide detailed enough check content.  But now I'm also being required to go through the "SDN using NV" STIG and I'm at a complete loss.  This particular STIG is a very broad and generalized STIG that DISA seems to think applies to all SDN environments.

The very first check wants me to verify that the Southbound APIs (I believe VMware NSX uses OVSDB as it's Southbound API) are sending messages that are authenticated using FIPS approved cipher-based message authentication code (CMAC) and keyed-hash message authentication code (HMAC) algorithms.  I have absolutely no idea how to verify this.

Has anyone on this forum gone through this STIG and applied it to their NSX deployment? Or has anyone found any sort of guide for this STIG specifically tailored to an NSX deployment?

I'm at a complete and total loss.  Any suggestions or guides or documentation would be greatly appreciated.

Thanks in advance

Tags (3)
0 Kudos
2 Replies
parmarr
VMware Employee
VMware Employee

I found a VMware Page discusing STIG with NSX - https://blogs.vmware.com/security/2016/09/newly-released-stig-validates-vmware-nsx-meets-security-ha.... Although not sure if this helps customer's inquiry on the thread. This question is out of Scope for KCs - even for TSEs I would think.

Sincerely, Rahul Parmar VMware Support Moderator
0 Kudos
dutsnekcirf
Contributor
Contributor

Thank you parmarr for your response.  I've seen that page and it is referring to the STIG checklists created specifically for VMware NSX.  They are the three STIG checklists that I had mentioned in my first post.  Those ones are great and easy to follow. They provide step by step instructions on how to perform each check.  Unfortunately I'm referring to a different one with the title "Software-Defined Networking (SDN) using Network Virtualization (NV) version 1".  It can be found about middle of the page here: http://iase.disa.mil/stigs/Pages/a-z.aspx?Paged=TRUE&p_Title=Microsoft%20Word%202013%20STIG%20%2d%20... The VMware NSX ones are found on that page too.

This one appears to be very broad and is meant to encompass all forms of Software Defined Networking; which I believe VMware NSX qualifies to a limited extent.  The difference; however, is that NSX is proprietary to VMware and does not appear to be open enough for me to perform many of the tasks required by this STIG; such as the example task that I mentioned in my first post.  With that said, I might have to use that as my response to many of the checklist items. "Can not perform this check due to the closed nature of VMware NSX".

So let's take the first checklist item for example. It says to, "Review the components within the SDN framework that send and receive southbound API messages and verify that the messages are authenticated using a FIPS-approved message authentication code (MAC) algorithm" ... "If the SDN controller or SDN-enabled network elements do not authenticate received southbound API messages using a FIPS-approved message authentication code algorithm, this is a finding."

How would an NSX expert verify that?  It mentions the "SDN controller"; so within a the context of NSX would that be considered the NSX Controllers or the NSX Manager?  When they say "SDN-enabled network elements" would that be considered Distributed Logical Routers, Logical Switches and/or vSwitches? or are they actually referring to physical networking hardware (standard routers and switches) that support SDN technologies such as OpenFlow, OVSDB, or OpFlex?

Once again, I appreciate your response parmarr.  I don't really expect anyone; including VMware, to have a step by step on how to perform this STIG.  I think that those who are expecting me to perform this STIG don't understand that NSX is a different kind of implementation from any open source and free SDN solution.  From what I can tell they haven't even looked at the checklist and are simply assuming it applies based on its title.

Maybe when this is all done I'll be able to provide a Step-By-Step for everyone else.

0 Kudos