An error occurred:

Check: SRG-NET-000512-SDN-001045

SDN Controller SRG: SRG-NET-000512-SDN-001045 (in versions v2 r1 through v1 r0.1)

Title

The SDN controller must be configured to encrypt all southbound Application Program Interface (API) management-plane messages using a FIPS-validated cryptographic module. (Cat I impact)

Discussion

An SDN controller can manage and configure SDN-enabled devices using protocols such as SNMP and NETCONF. If an SDN-aware router or switch received erroneous configuration information that was altered by a malicious user, interfaces could be disabled, erroneous IP addresses configured, services removed—all resulting a network disruption or even an outage. Hence, it is imperative to secure the management plane by encrypting all southbound API management-plane traffic or deploying an out-of-band network for this traffic to traverse.

Check Content

Determine if the southbound API management-plane traffic traverses an out-of-band path. If not, review the SDN controller configuration to verify that southbound API management-plane traffic is encrypted using a using a FIPS-validated cryptographic module. If the southbound API management-plane traffic does not traverse an out-of-band path and is not encrypted using a FIPS-validated cryptographic module, this is a finding. Note: FIPS-validated cryptographic modules are listed on the NIST Cryptographic Module Validation Program's (CMVP) validation list.

Fix Text

Deploy an out-of-band network to provision paths between SDN controller and SDN-enabled devices as well as all hypervisor hosts that compose the SDN infrastructure to provide transport for southbound API management-plane traffic. An alternative is to configure the SDN controller to encrypt all southbound API management-plane traffic using a FIPS-validated cryptographic module. Implement a cryptographic module which has a validation certification and is listed on the NIST Cryptographic Module Validation Program's (CMVP) validation list.

Additional Identifiers

Rule ID: SV-206733r385561_rule

Vulnerability ID: V-206733

Group Title: SRG-NET-000512

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-17(2)

Protection of Confidentiality / Integrity Using Encryption