UCF STIG Viewer Logo

SDN Using NV Security Technical Implementation Guide


Overview

Date Finding Count (25)
2017-03-01 CAT I (High): 4 CAT II (Med): 12 CAT III (Low): 9
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-73081 High Northbound API traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.
V-73073 High Southbound API control plane traffic between the SDN controller and SDN-enabled network elements must be mutually authenticated using a FIPS-approved message authentication code algorithm.
V-73075 High Northbound API traffic received by the SDN controller must be authenticated using a FIPS-approved message authentication code algorithm.
V-73079 High Southbound API control plane traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.
V-73083 Medium Southbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must be authenticated using a FIPS-approved message authentication code algorithm.
V-73085 Medium Southbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must traverse an out-of-band path or be encrypted using a using a FIPS-validated cryptographic module.
V-73087 Medium Southbound API management plane traffic for configuring SDN parameters on physical network elements must be authenticated using DOD PKI certificate-based authentication.
V-73089 Medium Southbound API management plane traffic for configuring SDN parameters on physical network elements must be encrypted using a FIPS-validated cryptographic module.
V-73103 Medium Servers hosting SDN controllers must have logging enabled.
V-73105 Medium Servers hosting SDN controllers must have an HIDS implemented to detect unauthorized changes.
V-73109 Medium Virtual Extensible Local Area Network (VXLAN) identifiers must be mapped to the appropriate VLAN identifiers.
V-73107 Medium All Virtual Extensible Local Area Network (VXLAN) enabled switches must be configured with the appropriate VXLAN network identifier (VNI) to ensure VMs can send and receive all associated traffic for their Layer 2 domain.
V-73091 Medium Physical SDN controllers and servers hosting SDN applications must reside within the management network with multiple paths that are secured by a firewall to inspect all ingress traffic.
V-73097 Medium SDN controllers must be deployed as clusters and on separate physical hosts to eliminate single point of failure.
V-73077 Medium Access to the SDN management and orchestration systems must be authenticated using a FIPS-approved message authentication code algorithm.
V-73111 Medium The proper multicast group for each Virtual Extensible Local Area Network (VXLAN) identifier must be mapped to the appropriate virtual tunnel endpoint (VTEP) so the VTEP will join the associated multicast groups.
V-73101 Low SDN-enabled routers and switches must rate limit the amount of unknown data plane packets that are punted to the SDN controller.
V-73121 Low The virtual edge gateways must be deployed with routing adjacencies established with two or more physical routers.
V-73093 Low SDN-enabled routers and switches must provide link state information to the SDN controller to create new forwarding decisions for the network elements.
V-73095 Low Quality of service (QoS) must be implemented on the underlying IP network to provide preferred treatment for traffic between the SDN controllers and SDN-enabled switches and hypervisors.
V-73099 Low Physical devices hosting an SDN controller must be connected to two switches for high-availability.
V-73119 Low Virtual edge gateways must be deployed across multiple hypervisor hosts.
V-73117 Low Two or more edge gateways must be deployed connecting the network virtualization platform (NVP) and the physical network.
V-73115 Low A secondary IP address must be specified for the virtual tunnel endpoint (VTEP) loopback interface when Virtual Extensible Local Area Network (VXLAN) enabled switches are deployed as a multi-chassis configuration.
V-73113 Low The virtual tunnel endpoint (VTEP) must be dual-homed to two physical network nodes.