Helping organizations protect their assets and infrastructure from evolving attack tactics and techniques is a priority at VMware. API-focused ransomware attacks have become an all-too-common trend, and we recommend that customers take extra care to reduce their attack surface by deploying NSX Manager — and any other manager console — in a hardened manner.  

Management infrastructure and common services typically allow broad access to other potentially more valuable resources within an organization, which in turn provides malicious actors with convenient platforms from which they can launch more damaging attacks. To manage that risk, VMware recommends the following steps to protect your management networks and services deployed within those networks:  

  • Do not expose NSX Manager to the internet: Like any other management console, NSX Manager should be installed within your internal network and accessed remotely only through a secure VPN connection. 
  • Use strong authentication methods: Ensure that strong authentication methods, such as multi-factor authentication, are used for all NSX Manager logins. 
  • Use secure communication protocols: Use secure communication protocols, such as SSL/TLS, to protect the communication between NSX Manager and other components in the environment. 
  • Implement network segmentation: Segment the network to limit the attack surface of the NSX Manager installation. For example, use firewalls to limit traffic to and from the NSX Manager virtual machine.  Please refer to https://ports.vmware.com/ to understand which ports and protocols need to be opened between NSX Manager and other components. 
  • Regularly monitor the NSX Manager environment: Continuously monitor the NSX Manager environment for suspicious activity and perform security audits to ensure that the environment remains secure. 
  • Maintain Configuration Backups: To recover from a disaster or unauthorized configuration changes, scheduled regular backups of the NSX Manager are recommended. Automatic backup scheduling is available as an NSX feature. 
  • Keep NSX Up to Date: All NSX components, including NSX Manager should be kept up to date to ensure the latest patches for protection against possible vulnerabilities have been applied. Not applying patch updates to address critical vulnerabilities listed on the VMware Security Advisories webpage can leave NSX manager vulnerable to exploits. 

The larger an organization’s attack surface is, the more difficult it is to detect threats in a timely manner. Keeping that surface to a minimum when deploying physical and virtual environments is a foundational component of any sound security program. 

Additional Resources 

Security Hardening/Configuration Guides provide prescriptive guidance for customers on how to deploy and operate VMware products in a secure manner. You can find the Security Configuration Guides for NSX here https://communities.vmware.com/t5/VMware-NSX-Documents/NSX-Security-Configuration-Guide/ta-p/2778414.   

As part of the Software Product Lifecycle, VMware’s Security Development Lifecycle is in place to identify and mitigate security risks during the development phase of NSX. Penetration testing and vulnerability scanning are performed to harden all components. For more information on the VMware Security Development Lifecycle, see the webpage at https://www.vmware.com/security/sdl.html 

Proactive and transparent notifications of VMware product security issues are provided to our customers through the VMware Security Advisories webpage. These are also available via email and RSS feeds. These advisories provide awareness of known vulnerabilities, attack vectors, workarounds and resolutions https://www.vmware.com/security/advisories.html.   

As an example, VMware has released NSX for vSphere 6.4.14 to address Security Advisory VMSA-2022-0027, a critical severity (CVSSv3 base score of 9.8) remote code execution vulnerability exists in NSX Data Center for vSphere (NSX-v) Manager prior to NSX-v 6.4.14. 

VMware supports the missions of the US Department of Defense through Security Technical Implementation Guides (STIGs), a collaborative effort between VMware and the Defense Information Systems Agency (DISA). See https://public.cyber.mil/announcement/disa-releases-the-vmware-nsx-t-data-center-security-technical-implementation-guide/