STIGQter STIGQter: STIG Summary: SDN Using NV Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 27 Feb 2017: Southbound API control plane traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.

DISA Rule

SV-87731r1_rule

Vulnerability Number

V-73079

Group Title

NET-SDN-004

Rule Version

NET-SDN-004

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Deploy an out-of-band network to provision paths between the SDN controllers and the SDN-enabled network elements for providing transport for southbound API control plane traffic.

An alternative is to encrypt all southbound API control plane traffic using a FIPS-validated cryptographic module. Implement a cryptographic module which has a validation certification and is listed on the NIST Cryptographic Module Validation Program's (CMVP) validation list.

Check Contents

Determine if the southbound API control plane traffic between the SDN controllers and the SDN-enabled network elements traverses an out-of-band path.

If not, verify that the southbound API traffic is encrypted using a FIPS-validated cryptographic module.

If the southbound API traffic does not traverse an out-of-band path or is not encrypted using a FIPS-validated cryptographic module, this is a finding.

Note: An out-of-band path would be a path between two nodes that traverses one or more links on an out-of-band network; that is, a dedicated layer 2 infrastructure separate from a production network.

Vulnerability Number

V-73079

Documentable

False

Rule Version

NET-SDN-004

Severity Override Guidance

Determine if the southbound API control plane traffic between the SDN controllers and the SDN-enabled network elements traverses an out-of-band path.

If not, verify that the southbound API traffic is encrypted using a FIPS-validated cryptographic module.

If the southbound API traffic does not traverse an out-of-band path or is not encrypted using a FIPS-validated cryptographic module, this is a finding.

Note: An out-of-band path would be a path between two nodes that traverses one or more links on an out-of-band network; that is, a dedicated layer 2 infrastructure separate from a production network.

Check Content Reference

M

Target Key

3089

Comments