STIGQter: STIG Summary: HP FlexFabric Switch L2S Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources as well as rate-limit DHCP traffic.

DISA Rule

SV-80561r1_rule

Vulnerability Number

V-66071

Group Title

SRG-NET-000362-L2S-000025

Rule Version

HFFS-L2-000014

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources as well as rate-limit DHCP traffic.

[HP]dhcp snooping enable

[HP-GigabitEthernet1/0/1]dhcp snooping rate-limit

Check Contents

Review the HP FlexFabric Switch configuration and verify that DHCP snooping is enabled on a per-VLAN basis.

If the HP FlexFabric Switch does not have DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources as well as rate-limit DHCP traffic, this is a finding.

Note: Enabling DHCP snooping on a range of VLANs is permissible.

Sample output:
[HP]dhcp snooping enable

[HP-GigabitEthernet1/0/1]dhcp snooping rate-limit

Vulnerability Number

V-66071

Documentable

False

Rule Version

HFFS-L2-000014

Severity Override Guidance

Review the HP FlexFabric Switch configuration and verify that DHCP snooping is enabled on a per-VLAN basis.

If the HP FlexFabric Switch does not have DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources as well as rate-limit DHCP traffic, this is a finding.

Note: Enabling DHCP snooping on a range of VLANs is permissible.

Sample output:
[HP]dhcp snooping enable

[HP-GigabitEthernet1/0/1]dhcp snooping rate-limit

Check Content Reference

M

Target Key

2977

Comments