STIGQter: STIG Summary: HP FlexFabric Switch RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.

DISA Rule

SV-80617r1_rule

Vulnerability Number

V-66127

Group Title

SRG-NET-000362-RTR-000110

Rule Version

HFFS-RT-000020

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

1. Classify control plane traffic
traffic classifier Class-Control-Plane operator or if-match control-plane protocol ospf bgp

2. Create policer to rate limit the control plane traffic
traffic behavior Police-Control-Plane car cir nnn cbs nnnn ebs 0 green pass red discard yellow pass

3. Create QoS policy using the traffic classifier and traffic behavior
qos policy Policy-Control-Plane classifier Class-Control-Plane behavior Police-Control-Plane

4. Apply the QoS policy to rate limit control-plane traffic
control-plane slot 1 qos apply policy Policy-Control-Plane inbound

Check Contents

Verify that there is a control plane policy configured on the HP FlexFabric to rate limit control plane traffic using the following command: display qos policy control-plane slot 1. If the HP FlexFabric Switch is not configured to rate limit control plane traffic, this is a finding.

Vulnerability Number

V-66127

Documentable

False

Rule Version

HFFS-RT-000020

Severity Override Guidance

Verify that there is a control plane policy configured on the HP FlexFabric to rate limit control plane traffic using the following command: display qos policy control-plane slot 1. If the HP FlexFabric Switch is not configured to rate limit control plane traffic, this is a finding.

Check Content Reference

M

Target Key

2979

Comments