STIGQter STIGQter: STIG Summary: SDN Using NV Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 27 Feb 2017

CheckedNameTitle
SV-87725r1_ruleSouthbound API control plane traffic between the SDN controller and SDN-enabled network elements must be mutually authenticated using a FIPS-approved message authentication code algorithm.
SV-87727r1_ruleNorthbound API traffic received by the SDN controller must be authenticated using a FIPS-approved message authentication code algorithm.
SV-87729r1_ruleAccess to the SDN management and orchestration systems must be authenticated using a FIPS-approved message authentication code algorithm.
SV-87731r1_ruleSouthbound API control plane traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.
SV-87733r1_ruleNorthbound API traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.
SV-87735r1_ruleSouthbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must be authenticated using a FIPS-approved message authentication code algorithm.
SV-87737r1_ruleSouthbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must traverse an out-of-band path or be encrypted using a using a FIPS-validated cryptographic module.
SV-87739r1_ruleSouthbound API management plane traffic for configuring SDN parameters on physical network elements must be authenticated using DOD PKI certificate-based authentication.
SV-87741r1_ruleSouthbound API management plane traffic for configuring SDN parameters on physical network elements must be encrypted using a FIPS-validated cryptographic module.
SV-87743r1_rulePhysical SDN controllers and servers hosting SDN applications must reside within the management network with multiple paths that are secured by a firewall to inspect all ingress traffic.
SV-87745r1_ruleSDN-enabled routers and switches must provide link state information to the SDN controller to create new forwarding decisions for the network elements.
SV-87747r1_ruleQuality of service (QoS) must be implemented on the underlying IP network to provide preferred treatment for traffic between the SDN controllers and SDN-enabled switches and hypervisors.
SV-87749r1_ruleSDN controllers must be deployed as clusters and on separate physical hosts to eliminate single point of failure.
SV-87751r1_rulePhysical devices hosting an SDN controller must be connected to two switches for high-availability.
SV-87753r1_ruleSDN-enabled routers and switches must rate limit the amount of unknown data plane packets that are punted to the SDN controller.
SV-87755r1_ruleServers hosting SDN controllers must have logging enabled.
SV-87757r1_ruleServers hosting SDN controllers must have an HIDS implemented to detect unauthorized changes.
SV-87759r1_ruleAll Virtual Extensible Local Area Network (VXLAN) enabled switches must be configured with the appropriate VXLAN network identifier (VNI) to ensure VMs can send and receive all associated traffic for their Layer 2 domain.
SV-87761r1_ruleVirtual Extensible Local Area Network (VXLAN) identifiers must be mapped to the appropriate VLAN identifiers.
SV-87763r1_ruleThe proper multicast group for each Virtual Extensible Local Area Network (VXLAN) identifier must be mapped to the appropriate virtual tunnel endpoint (VTEP) so the VTEP will join the associated multicast groups.
SV-87765r1_ruleThe virtual tunnel endpoint (VTEP) must be dual-homed to two physical network nodes.
SV-87767r1_ruleA secondary IP address must be specified for the virtual tunnel endpoint (VTEP) loopback interface when Virtual Extensible Local Area Network (VXLAN) enabled switches are deployed as a multi-chassis configuration.
SV-87769r1_ruleTwo or more edge gateways must be deployed connecting the network virtualization platform (NVP) and the physical network.
SV-87771r1_ruleVirtual edge gateways must be deployed across multiple hypervisor hosts.
SV-87773r1_ruleThe virtual edge gateways must be deployed with routing adjacencies established with two or more physical routers.