UCF STIG Viewer Logo

SDN Controller Security Requirements Guide


Overview

Date Finding Count (30)
2018-07-18 CAT I (High): 6 CAT II (Med): 24 CAT III (Low): 0
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-80785 High The SDN controller must be configured to encrypt all southbound Application Program Interface (API) control-plane messages using a FIPS-validated cryptographic module.
V-80787 High The SDN controller must be configured to encrypt all northbound Application Program Interface (API) messages using a FIPS-validated cryptographic module.
V-80791 High The SDN controller must be configured to encrypt all southbound Application Program Interface (API) management-plane messages using a FIPS-validated cryptographic module.
V-80781 High The SDN controller must be configured to authenticate southbound Application Program Interface (API) control-plane messages received from SDN-enabled network elements using a FIPS-approved message authentication code algorithm.
V-80789 High The SDN controller must be configured to authenticate received southbound Application Program Interface (API) management-plane messages using a FIPS-approved message authentication code algorithm.
V-80783 High The SDN controller must be configured to authenticate northbound Application Program Interface (API) messages received from business applications and management systems using a FIPS-approved message authentication code algorithm.
V-80773 Medium The SDN controller must be configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack.
V-80799 Medium The SDN controller must be configured to enable multi-tenant virtual networks to be fully isolated from one another.
V-80777 Medium The SDN controller must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by rate-limiting control-plane communications.
V-80811 Medium The SDN controller must be configured to enforce access restrictions associated with changes to the configuration.
V-80769 Medium The SDN controller must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-80767 Medium The SDN controller must be configured to produce audit records containing information to establish the outcome of the events.
V-80765 Medium The SDN controller must be configured to produce audit records containing information to establish the source of the events.
V-80813 Medium The SDN controller must be configured to audit the enforcement actions used to restrict access associated with changes to any application within the SDN framework.
V-80797 Medium SDN controller must be configured to forward traffic based on security requirements.
V-80775 Medium The SDN controllers must be configured as a cluster in active/active or active/passive mode to preserve any information necessary to determine cause of a system failure and to maintain network operations with least disruption to workload processes and flows.
V-80771 Medium The SDN controller must be configured to disable non-essential capabilities.
V-80757 Medium The SDN controller must be configured to enforce approved authorizations for controlling the flow of traffic within the network based on organization-defined information flow control policies.
V-80755 Medium The SDN controller must be configured to enforce approved authorizations for access to system resources in accordance with applicable access control policies.
V-80761 Medium The SDN controller must be configured to produce audit records containing information to establish when the events occurred.
V-80763 Medium The SDN controller must be configured to produce audit records containing information to establish where the events occurred.
V-80759 Medium The SDN controller must be configured to produce audit records containing information to establish what type of events occurred.
V-80793 Medium The SDN controller must be configured to be deployed as a cluster and on separate physical hosts.
V-80809 Medium The SDN controller must be configured to prohibit user installation of software without explicit privileged status.
V-80779 Medium The SDN controller must be configured to only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
V-80795 Medium The SDN Controller must be configured to notify the forwarding device to either drop the packet or make an entry in the flow table for a received packet that does not match any flow table entries.
V-80803 Medium The SDN controller must be configured to isolate security functions from non-security functions.
V-80801 Medium The SDN controller must be configured to separate tenant functionality from system management functionality.
V-80807 Medium The SDN controller must be configured to notify the ISSO and ISSM of failed verification tests for organization-defined security functions.
V-80805 Medium The SDN controller must be configured to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.