STIGQter STIGQter: STIG Summary:

HP FlexFabric Switch RTR Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 24 Jul 2020

SV-80455r1_ruleThe HP FlexFabric Switch must be configured so inactive HP FlexFabric Switch interfaces are disabled.
SV-80589r1_ruleThe HP FlexFabric Switch must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System.
SV-80591r1_ruleThe HP FlexFabric Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
SV-80593r1_ruleIf Border Gateway Protocol (BGP) is enabled on the HP FlexFabric Switch, the HP FlexFabric Switch must not be a BGP peer with a HP FlexFabric Switch from an Autonomous System belonging to any Alternate Gateway (AG).
SV-80597r1_ruleThe HP FlexFabric Switch must be configured to disable non-essential capabilities.
SV-80599r1_ruleThe HP FlexFabric Switch must enable neighbor authentication for all control plane protocols.
SV-80601r1_ruleThe HP FlexFabric Switch must encrypt all methods of configured authentication for routing protocols.
SV-80603r1_ruleThe HP FlexFabric Switch must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms for routing protocols.
SV-80605r1_ruleThe HP FlexFabric Switch must enforce that Interior Gateway Protocol (IGP) instances configured on the out-of-band management gateway only peer with their own routing domain.
SV-80607r1_ruleThe HP FlexFabric Switch must enforce that the managed network domain and the management network domain are separate routing domains and the Interior Gateway Protocol (IGP) instances are not redistributed or advertised to each other.
SV-80609r1_ruleThe HP FlexFabric Switch must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol (IGP) that is utilized on that management interface.
SV-80611r1_ruleThe HP FlexFabric Switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.
SV-80613r2_ruleThe HP FlexFabric Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
SV-80615r2_ruleThe HP FlexFabric Switch must configure the maximum hop limit value to at least 32.
SV-80617r1_ruleThe HP FlexFabric Switch must protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.
SV-80619r1_ruleThe HP FlexFabric Switch must only allow incoming communications from authorized sources to be routed to authorized destinations.
SV-80621r1_ruleThe HP FlexFabric Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
SV-80623r1_ruleThe HP FlexFabric Switch must ensure all Exterior Border Gateway Protocol (eBGP) HP FlexFabric Switches are configured to use Generalized TTL Security Mechanism (GTSM).
SV-80625r1_ruleThe HP FlexFabric Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
SV-80627r1_ruleThe HP FlexFabric Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
SV-80629r1_ruleThe HP FlexFabric Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.