STIGQter STIGQter: STIG Summary: HP FlexFabric Switch RTR Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 26 Feb 2016: The HP FlexFabric Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.

DISA Rule

SV-80613r1_rule

Vulnerability Number

V-66123

Group Title

SRG-NET-000193-RTR-000111

Rule Version

HFFS-RT-000018

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Implement a mechanism for traffic prioritization and bandwidth reservation. This mechanism must enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies.

traffic classifier VOICE operator or
if-match dscp 49
#
traffic behavior VOICE-2M-SERIAL
traffic-policy NEST_EF
gts cir 441 cbs 2757 ebs 0 queue-length 50
queue ef bandwidth pct 25 cbs-ratio 25
#
traffic classifier VIDEO operator or
if-matdscp 39
#
traffic behavior VIDEO-2M-SERIAL
traffic-policy NEST_AF
gts cir 301 cbs 1882 ebs 0 queue-length 50
queue af bandwidth pct 15
#
traffic classifier DATA operator or
if-match dscp 11
#
traffic behavior DATA-2M-SERIAL
traffic-policy NEST_AF
gts cir 778 cbs 4863 ebs 0 queue-length 50
queue af bandwidth pct 40
#
qos policy JITC-2M-SERIAL
classifier default-class behavior be-bal
classifier VOICE behavior VOICE-2M-SERIAL
classifier VIDEO behavior VIDEO-2M-SERIAL
classifier DATA behavior DATA-2M-SERIAL
#
interface Serial10/0
description IUT 2M-SERIAL
virtualbaudrate 2048000
qos reserved-bandwidth pct 100
qos flow-interval 1
qos apply policy JITC-2M-SERIAL outbound
undo ipv6 nd ra halt

Check Contents

Interview the system administrator to determine the requirements for bandwidth and traffic prioritization. Display the HP FlexFabric Switch configuration to ensure that the HP FlexFabric Switch is configured with these requirements.

If excess bandwidth is not managed to limit the effects of packet flooding types of denial of service (DoS) attacks, this is a finding

[HP] display current interface serial10/0
#
interface Serial10/0
description IUT 2M-SERIAL
virtualbaudrate 2048000
qos reserved-bandwidth pct 100
qos flow-interval 1
qos apply policy JITC-2M-SERIAL outbound
undo ipv6 nd ra halt
#

Vulnerability Number

V-66123

Documentable

False

Rule Version

HFFS-RT-000018

Severity Override Guidance

Interview the system administrator to determine the requirements for bandwidth and traffic prioritization. Display the HP FlexFabric Switch configuration to ensure that the HP FlexFabric Switch is configured with these requirements.

If excess bandwidth is not managed to limit the effects of packet flooding types of denial of service (DoS) attacks, this is a finding

[HP] display current interface serial10/0
#
interface Serial10/0
description IUT 2M-SERIAL
virtualbaudrate 2048000
qos reserved-bandwidth pct 100
qos flow-interval 1
qos apply policy JITC-2M-SERIAL outbound
undo ipv6 nd ra halt
#

Check Content Reference

M

Target Key

2979

Comments