UCF STIG Viewer Logo

SDN Controller Security Requirements Guide


Overview

Date Finding Count (31)
2020-03-06 CAT I (High): 6 CAT II (Med): 25 CAT III (Low): 0
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-80785 High The SDN controller must be configured to encrypt all southbound Application Program Interface (API) control-plane messages using a FIPS-validated cryptographic module.
V-80787 High The SDN controller must be configured to encrypt all northbound Application Program Interface (API) messages using a FIPS-validated cryptographic module.
V-80791 High The SDN controller must be configured to encrypt all southbound Application Program Interface (API) management-plane messages using a FIPS-validated cryptographic module.
V-80781 High The SDN controller must be configured to authenticate southbound Application Program Interface (API) control-plane messages received from SDN-enabled network elements using a FIPS-approved message authentication code algorithm.
V-80789 High The SDN controller must be configured to authenticate received southbound Application Program Interface (API) management-plane messages using a FIPS-approved message authentication code algorithm.
V-80783 High The SDN controller must be configured to authenticate northbound Application Program Interface (API) messages received from business applications and management systems using a FIPS-approved message authentication code algorithm.
V-80773 Medium The SDN controller must be configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack.
V-80799 Medium The SDN controller must be configured to enable multi-tenant virtual networks to be fully isolated from one another.
V-80777 Medium The SDN controller must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by rate-limiting control-plane communications.
V-80811 Medium The SDN controller must be configured to enforce access restrictions associated with changes to the configuration.
V-80769 Medium The SDN controller must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-80767 Medium The SDN controller must be configured to produce audit records containing information to establish the outcome of the events.
V-80765 Medium The SDN controller must be configured to produce audit records containing information to establish the source of the events.
V-80813 Medium The SDN controller must be configured to audit the enforcement actions used to restrict access associated with changes to any application within the SDN framework.
V-80797 Medium SDN controller must be configured to forward traffic based on security requirements.
V-100101 Medium The SDN controller must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-80775 Medium The SDN controllers must be configured as a cluster in active/active or active/passive mode to preserve any information necessary to determine cause of a system failure and to maintain network operations with least disruption to workload processes and flows.
V-80771 Medium The SDN controller must be configured to disable non-essential capabilities.
V-80757 Medium The SDN controller must be configured to enforce approved authorizations for controlling the flow of traffic within the network based on organization-defined information flow control policies.
V-80755 Medium The SDN controller must be configured to enforce approved authorizations for access to system resources in accordance with applicable access control policies.
V-80761 Medium The SDN controller must be configured to produce audit records containing information to establish when the events occurred.
V-80763 Medium The SDN controller must be configured to produce audit records containing information to establish where the events occurred.
V-80759 Medium The SDN controller must be configured to produce audit records containing information to establish what type of events occurred.
V-80793 Medium The SDN controller must be configured to be deployed as a cluster and on separate physical hosts.
V-80809 Medium The SDN controller must be configured to prohibit user installation of software without explicit privileged status.
V-80779 Medium The SDN controller must be configured to only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
V-80795 Medium The SDN Controller must be configured to notify the forwarding device to either drop the packet or make an entry in the flow table for a received packet that does not match any flow table entries.
V-80803 Medium The SDN controller must be configured to isolate security functions from non-security functions.
V-80801 Medium The SDN controller must be configured to separate tenant functionality from system management functionality.
V-80807 Medium The SDN controller must be configured to notify the ISSO and ISSM of failed verification tests for organization-defined security functions.
V-80805 Medium The SDN controller must be configured to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.