Title

The SDN controller must be configured to enable multi-tenant virtual networks to be fully isolated from one another. (Cat II impact)

Discussion

Network-as-a-Service (NaaS) is often implemented in a multi-tenant paradigm, where customers share network infrastructure and services while they are logically isolated from each other. SDN provides an approach to the orchestration and provisioning of virtual network services by the owners of the network infrastructures. This leads to various multi-tenancy deployments: on different layers, for different purposes, using different techniques—each of which provides different levels of control while requiring different types of isolation among users. For instance, implementation can be a southbound multi-tenancy with several guest controllers sharing the same data forwarding elements, or a northbound multi-tenancy with several guest applications sharing the entire SDN infrastructure including the SDN controller. Regardless of the implementation, it is imperative that the controller provides the necessary isolation and separation.

Check Content

Review the SDN controller configuration to determine if it is configured to deploy dedicated instances of virtual networks and separate forwarding tables to the provisioned network elements belonging to each tenant. If the SDN Controller is not configured to enable multi-tenant virtual networks to be fully isolated from one another, this is a finding.

Fix Text

Configure the SDN controller to deploy dedicated instances of virtual networks and separate forwarding tables to the provisioned network elements belonging to each tenant.

Additional Identifiers

Rule ID: SV-206737r385561_rule

Vulnerability ID: V-206737

Group Title: SRG-NET-000512

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.