STIGQter STIGQter: STIG Summary: HP FlexFabric Switch L2S Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 25 Jan 2019

CheckedNameTitle
SV-80451r1_ruleThe HP FlexFabric Switch must be configured to disable non-essential capabilities.
SV-80541r1_ruleHP FlexFabric Switch must authenticate all network-connected endpoint devices before establishing any connection.
SV-80543r1_ruleHP FlexFabric Switch must authenticate all endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.
SV-80547r1_ruleThe HP FlexFabric Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
SV-80549r1_ruleThe HP FlexFabric Switch must provide the capability for authorized users to select a user session to capture.
SV-80551r1_ruleThe HP FlexFabric Switch must provide the capability for authorized users to remotely view, in real time, all content related to an established user session from a component separate from the HP FlexFabric Switch.
SV-80553r1_ruleThe HP FlexFabric Switch must have Root Guard enabled on all ports where the root bridge should not appear.
SV-80555r1_ruleThe HP FlexFabric Switch must have BPDU Guard enabled on all user-facing access ports.
SV-80557r1_ruleThe HP FlexFabric Switch must have STP Loop Protection enabled all non-designated STP switch ports.
SV-80559r1_ruleThe HP FlexFabric Switch must have unknown storm-constrain enabled.
SV-80561r1_ruleThe HP FlexFabric Switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources as well as rate-limit DHCP traffic.
SV-80563r1_ruleThe HP FlexFabric Switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
SV-80565r1_ruleThe HP FlexFabric Switch must have Dynamic ARP Inspection (DAI) enabled on all user VLANs.
SV-80567r1_ruleThe HP FlexFabric Switch must implement Rapid STP where VLANs span multiple switches with redundant links.
SV-80569r1_ruleThe HP FlexFabric Switch must enable Device Link Detection Protocol (DLDP) to protect against one-way connections.
SV-80571r1_ruleThe HP FlexFabric Switch must have all trunk links enabled statically.
SV-80573r1_ruleThe HP FlexFabric Switch must only allow a maximum of one registered MAC address per access port.
SV-80575r1_ruleThe HP FlexFabric Switch must have all disabled switch ports assigned an unused VLAN.
SV-80577r1_ruleThe HP FlexFabric Switch must not have the default VLAN assigned to any host-facing switch ports.
SV-80579r1_ruleThe HP FlexFabric Switch must have the default VLAN pruned from all trunk ports that do not require it.
SV-80581r1_ruleThe HP FlexFabric Switch must not use the default VLAN for management traffic.
SV-80583r1_ruleThe HP FlexFabric Switch must have all user-facing or untrusted ports configured as access switch ports.
SV-80585r1_ruleThe HP FlexFabric Switch must have the native VLAN assigned to a VLAN ID other than the default VLAN ID for all 802.1q trunk links.
SV-80587r1_ruleThe HP FlexFabric Switch must not have any access switch ports assigned to the native VLAN.