STIGQter: STIG Summary: HP FlexFabric Switch RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

DISA Rule

SV-80621r1_rule

Vulnerability Number

V-66131

Group Title

SRG-NET-000019-RTR-000002

Rule Version

HFFS-RT-000022

Severity

CAT II

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the switch to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy using ACLs that are applied to the appropriate interfaces.

Check Contents

Review the HP FlexFabric Switch configuration to determine if the switch enforces approved authorizations for controlling the flow of information between interconnected networks or VLANs in accordance with applicable policy. This requirement can be met through the use of IP access control lists which are applied to specific interfaces inbound or outbound as show in the following example:

acl number 3001
rule 1 deny ip source 192.168.3.121 0
rule 2 permit ip source 192.100.1.0 0.0.0.255 destination 192.200.2.0 0.0.0.255

interface Ten-GigabitEthernet1/0/21
ip address 102.17.17.2 255.255.255.252
packet-filter 3001 inbound

If the switch does not enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy, this is a finding.

Vulnerability Number

V-66131

Documentable

False

Rule Version

HFFS-RT-000022

Severity Override Guidance

Review the HP FlexFabric Switch configuration to determine if the switch enforces approved authorizations for controlling the flow of information between interconnected networks or VLANs in accordance with applicable policy. This requirement can be met through the use of IP access control lists which are applied to specific interfaces inbound or outbound as show in the following example:

acl number 3001
rule 1 deny ip source 192.168.3.121 0
rule 2 permit ip source 192.100.1.0 0.0.0.255 destination 192.200.2.0 0.0.0.255

interface Ten-GigabitEthernet1/0/21
ip address 102.17.17.2 255.255.255.252
packet-filter 3001 inbound

If the switch does not enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy, this is a finding.

Check Content Reference

M

Target Key

2979

Comments