STIGQter STIGQter: STIG Summary: HP FlexFabric Switch RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must only allow incoming communications from authorized sources to be routed to authorized destinations.

DISA Rule

SV-80619r1_rule

Vulnerability Number

V-66129

Group Title

SRG-NET-000364-RTR-000109

Rule Version

HFFS-RT-000021

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to only allow incoming communications from authorized sources to be routed to authorized destinations.

Check Contents

Review the HP FlexFabric Switch configuration to determine if the switch only allows incoming communications from authorized sources to be routed to authorized destinations. This requirement can be met by applying an ingress filter to an external-facing interface as shown in the following example:
acl number 3001
rule 1 deny ip source 192.168.3.121 0
rule 2 permit ip source 192.100.1.0 0.0.0.255 destination 192.200.2.0 0.0.0.255

interface Ten-GigabitEthernet1/0/21
ip address 102.17.17.2 255.255.255.252
packet-filter 3001 inbound

If the HP FlexFabric Switch allows incoming communications from unauthorized sources or to unauthorized destinations, this is a finding.

Vulnerability Number

V-66129

Documentable

False

Rule Version

HFFS-RT-000021

Severity Override Guidance

Review the HP FlexFabric Switch configuration to determine if the switch only allows incoming communications from authorized sources to be routed to authorized destinations. This requirement can be met by applying an ingress filter to an external-facing interface as shown in the following example:
acl number 3001
rule 1 deny ip source 192.168.3.121 0
rule 2 permit ip source 192.100.1.0 0.0.0.255 destination 192.200.2.0 0.0.0.255

interface Ten-GigabitEthernet1/0/21
ip address 102.17.17.2 255.255.255.252
packet-filter 3001 inbound

If the HP FlexFabric Switch allows incoming communications from unauthorized sources or to unauthorized destinations, this is a finding.

Check Content Reference

M

Target Key

2979

Comments