SDN Controller Security Requirements Guide

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2018-07-18

Updated At: 2018-10-11 21:51:41

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-95465r1_rule SRG-NET-000015-SDN-000010 CCI-000213 MEDIUM The SDN controller must be configured to enforce approved authorizations for access to system resources in accordance with applicable access control policies. To mitigate the risk of unauthorized access to system resources within the SDN framework, authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the pr
    SV-95467r1_rule SRG-NET-000018-SDN-000015 CCI-001368 MEDIUM The SDN controller must be configured to enforce approved authorizations for controlling the flow of traffic within the network based on organization-defined information flow control policies. Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or data center. Additionally, unrestricted traffic may transit a network consuming bandwidth and network node resources. Access control policies and access control lists
    SV-95469r1_rule SRG-NET-000074-SDN-000120 CCI-000130 MEDIUM The SDN controller must be configured to produce audit records containing information to establish what type of events occurred. Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, ti
    SV-95471r1_rule SRG-NET-000075-SDN-000125 CCI-000131 MEDIUM The SDN controller must be configured to produce audit records containing information to establish when the events occurred. Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment, and provide forensic analysis of network traffic patterns,
    SV-95473r1_rule SRG-NET-000076-SDN-000130 CCI-000132 MEDIUM The SDN controller must be configured to produce audit records containing information to establish where the events occurred. Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for securit
    SV-95475r1_rule SRG-NET-000077-SDN-000135 CCI-000133 MEDIUM The SDN controller must be configured to produce audit records containing information to establish the source of the events. Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to
    SV-95477r1_rule SRG-NET-000078-SDN-000140 CCI-000134 MEDIUM The SDN controller must be configured to produce audit records containing information to establish the outcome of the events. Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the network. Event outcomes can include indicators of event succ
    SV-95479r1_rule SRG-NET-000079-SDN-000145 CCI-001487 MEDIUM The SDN controller must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.
    SV-95481r1_rule SRG-NET-000131-SDN-000200 CCI-000381 MEDIUM The SDN controller must be configured to disable non-essential capabilities. It is detrimental for network elements to provide, or enable by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk
    SV-95483r1_rule SRG-NET-000193-SDN-000285 CCI-001095 MEDIUM The SDN controller must be configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack. A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route fla
    SV-95485r1_rule SRG-NET-000236-SDN-000365 CCI-001665 MEDIUM The SDN controllers must be configured as a cluster in active/active or active/passive mode to preserve any information necessary to determine cause of a system failure and to maintain network operations with least disruption to workload processes and flows. Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the SDN cont
    SV-95487r1_rule SRG-NET-000362-SDN-000720 CCI-002385 MEDIUM The SDN controller must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by rate-limiting control-plane communications. The SDN Controller is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control-plane processes. It is also instrumental with network management and provisioning functions that keep th
    SV-95489r1_rule SRG-NET-000364-SDN-000730 CCI-002403 MEDIUM The SDN controller must be configured to only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or data center. Additionally, unrestricted traffic may transit a network consuming bandwidth and network node resources. Access control policies and access control lists
    SV-95491r1_rule SRG-NET-000512-SDN-001020 CCI-000803 HIGH The SDN controller must be configured to authenticate southbound Application Program Interface (API) control-plane messages received from SDN-enabled network elements using a FIPS-approved message authentication code algorithm. Southbound APIs such as OpenFlow provide the forwarding tables to network devices, such as switches and routers, both physical and virtual (hypervisor-based). The SDN controllers use the concept of flows to identify network traffic based on predefined rul
    SV-95493r1_rule SRG-NET-000512-SDN-001025 CCI-000803 HIGH The SDN controller must be configured to authenticate northbound Application Program Interface (API) messages received from business applications and management systems using a FIPS-approved message authentication code algorithm. The SDN controller determines how traffic should flow through physical and virtual network devices based on application profiles, network infrastructure resources, security policies, and business requirements that it receives via the northbound API. It al
    SV-95495r1_rule SRG-NET-000512-SDN-001030 CCI-000068 HIGH The SDN controller must be configured to encrypt all southbound Application Program Interface (API) control-plane messages using a FIPS-validated cryptographic module. Southbound APIs such as OpenFlow provide the forwarding tables to network devices, such as switches and routers, both physical and virtual (hypervisor-based). The SDN controllers use the concept of flows to identify network traffic based on predefined rul
    SV-95497r1_rule SRG-NET-000512-SDN-001035 CCI-000068 HIGH The SDN controller must be configured to encrypt all northbound Application Program Interface (API) messages using a FIPS-validated cryptographic module. The SDN controller receives network service requests from orchestration and management systems to deploy and configure network elements via the northbound API. In turn, the northbound API presents a network abstraction to these systems. If either the orch
    SV-95499r1_rule SRG-NET-000512-SDN-001040 CCI-000803 HIGH The SDN controller must be configured to authenticate received southbound Application Program Interface (API) management-plane messages using a FIPS-approved message authentication code algorithm. The SDN controller can receive management-plane traffic from the SDN-enabled devices that it monitors and manages. The messages could be responses from SNMP get requests as well as SNMP notifications (i.e., traps and informs) provided to note changes in n
    SV-95501r1_rule SRG-NET-000512-SDN-001045 CCI-000068 HIGH The SDN controller must be configured to encrypt all southbound Application Program Interface (API) management-plane messages using a FIPS-validated cryptographic module. An SDN controller can manage and configure SDN-enabled devices using protocols such as SNMP and NETCONF. If an SDN-aware router or switch received erroneous configuration information that was altered by a malicious user, interfaces could be disabled, erro
    SV-95503r1_rule SRG-NET-000512-SDN-001050 CCI-000366 MEDIUM The SDN controller must be configured to be deployed as a cluster and on separate physical hosts. SDN relies heavily on control messages between a controller and the forwarding devices for network convergence. The controller uses node and link state discovery information to calculate and determine optimum pathing within the SDN network infrastructure
    SV-95505r1_rule SRG-NET-000512-SDN-001055 CCI-000366 MEDIUM The SDN Controller must be configured to notify the forwarding device to either drop the packet or make an entry in the flow table for a received packet that does not match any flow table entries. Reactive flow setup occurs when the SDN-aware switch receives a packet that does not match the flow table entries and hence the switch has to send the packet to the controller for processing. Once the controller decides how to process the flow that inform
    SV-95507r1_rule SRG-NET-000512-SDN-001060 CCI-000366 MEDIUM SDN controller must be configured to forward traffic based on security requirements. For security reasons an organization may choose to have traffic that is inbound to a server go through a specific firewall. In order not to consume the resources of the firewall with clean traffic, the organization may want to choose to redirect the traff
    SV-95509r1_rule SRG-NET-000512-SDN-001065 CCI-000366 MEDIUM The SDN controller must be configured to enable multi-tenant virtual networks to be fully isolated from one another. Network-as-a-Service (NaaS) is often implemented in a multi-tenant paradigm, where customers share network infrastructure and services while they are logically isolated from each other. SDN provides an approach to the orchestration and provisioning of vir
    SV-95511r1_rule SRG-NET-000512-SDN-001070 CCI-001082 MEDIUM The SDN controller must be configured to separate tenant functionality from system management functionality. Network-as-a-Service (NaaS) is frequently offered in a multi-tenant paradigm, where customers share network infrastructure. SDN provides an approach to the provisioning of virtual network services by owners of the network infrastructures to third parties.
    SV-95513r1_rule SRG-NET-000512-SDN-001075 CCI-001084 MEDIUM The SDN controller must be configured to isolate security functions from non-security functions. An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and/or firmware of the information system responsible for en
    SV-95515r1_rule SRG-NET-000512-SDN-001080 CCI-001312 MEDIUM The SDN controller must be configured to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. Providing too much information in error messages on the screen or printout risks compromising the data and security of the SDN controller. The structure and content of error messages need to be carefully considered by the organization. The extent to which
    SV-95517r1_rule SRG-NET-000512-SDN-001085 CCI-002694 MEDIUM The SDN controller must be configured to notify the ISSO and ISSM of failed verification tests for organization-defined security functions. If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. Security function is defined as the hardware, software, and/or firmware of the information sy
    SV-95519r1_rule SRG-NET-000512-SDN-001090 CCI-001812 MEDIUM The SDN controller must be configured to prohibit user installation of software without explicit privileged status. Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular use
    SV-95521r1_rule SRG-NET-000512-SDN-001095 CCI-001813 MEDIUM The SDN controller must be configured to enforce access restrictions associated with changes to the configuration. Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be note
    SV-95523r1_rule SRG-NET-000512-SDN-001100 CCI-001814 MEDIUM The SDN controller must be configured to audit the enforcement actions used to restrict access associated with changes to any application within the SDN framework. Without auditing the enforcement of access restrictions against changes to any application within the SDN framework, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact