SDN controller must be configured to forward traffic based on security requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-80797	SRG-NET-000512-SDN-001060	SV-95507r1_rule		Medium

Description
For security reasons, an organization may choose to have traffic that is inbound to a server go through a specific firewall. In order not to consume the resources of the firewall with clean traffic, the organization may want to choose to redirect the traffic that is outbound from the server to not go through the firewall. Today, zero-trust models are being implemented within the data center; applications and workloads trust no other workload; hence, connectivity between them is not allowed unless explicitly authorized. Each application or workload can have its own security policies. With the advent of cloud networking and multi-tenancy, security policies have evolved to be more workload and application-centric (for example, what type of application, who the tenant is, and which tier of the application is being protected). The SDN Controller must enforce these policies by controlling the forwarding of packets to specific destinations for specific workloads based on the rules provided within the policies.

Description

For security reasons, an organization may choose to have traffic that is inbound to a server go through a specific firewall. In order not to consume the resources of the firewall with clean traffic, the organization may want to choose to redirect the traffic that is outbound from the server to not go through the firewall. Today, zero-trust models are being implemented within the data center; applications and workloads trust no other workload; hence, connectivity between them is not allowed unless explicitly authorized. Each application or workload can have its own security policies. With the advent of cloud networking and multi-tenancy, security policies have evolved to be more workload and application-centric (for example, what type of application, who the tenant is, and which tier of the application is being protected). The SDN Controller must enforce these policies by controlling the forwarding of packets to specific destinations for specific workloads based on the rules provided within the policies.

STIG	Date
SDN Controller Security Requirements Guide	2020-03-06

Details

Check Text ( C-80533r1_chk )
Review the SDN controller configuration to determine if it is configured to forward traffic based on security requirements that have been provided from a security service or policy engine via the northbound API. If the SDN Controller is not configured to forward traffic based on security requirements, this is a finding.

Fix Text (F-87651r1_fix)
Configure the SDN controller to forward traffic based on security requirements.