STIGQter: STIG Summary: HP FlexFabric Switch NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the HP FlexFabric Switch management network by employing organization-defined security safeguards.

DISA Rule

SV-80753r1_rule

Vulnerability Number

V-66263

Group Title

SRG-APP-000435-NDM-000315

Rule Version

HFFS-ND-000118

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards.

Enable the anti-attack function:

[HP] tcp syn-cookie enable

Configure maximum wait time to establish a TCP connection:

[HP] tcp timer syn-timeout 10

Configure QoS policy and apply it to the control plane:

[HP] traffic classifier Net-Protocols operator or
[HP-classifier Net-Protocols] if match control-plane protocol icmp
[HP-classifier Net-Protocols] quit
[HP] traffic behavior Net-Protocols
[HP-behavior-Net-Protocols] car cir 320
[HP-behavior-Net-Protocols] quit
[HP] qos policy Net-protocols
[HP-qospolicy-Net-Protocols] classifier Net-Protocols behavior Net-protocols
[HP-qospolicy-Net-Protocols] quit
[HP] control-plane slot 1
[HP-cp-slot1] qos apply policy Net-Protocols inbound

Note: In addition, ACLs can be deployed to address specific types of attacks based on IP, MAC, protocols and ports.

Note: By default, the HP FlexFabric Switches are configured with pre-defined control plane QoS policies, which take effect on the control planes by default.

Check Contents

Check if the HP FlexFabric Switch is configured to protect against known DoS attacks by implementing ACLs and by enabling tcp syn-flood protection:

[HP] display current-configuration

tcp syn-cookie enable
tcp timer syn-timeout 10

[HP] display acl all

If the HP FlexFabric Switch is not configured with ACLs and tcp syn-flood features, this is a finding.

Check pre-defined qos policies that are by default applied to the control plane:

[HP] display qos policy control-plane pre-defined

Check user-defined qos policies:
[HP] display qos policy user-defined

Vulnerability Number

V-66263

Documentable

False

Rule Version

HFFS-ND-000118

Severity Override Guidance

Check if the HP FlexFabric Switch is configured to protect against known DoS attacks by implementing ACLs and by enabling tcp syn-flood protection:

[HP] display current-configuration

tcp syn-cookie enable
tcp timer syn-timeout 10

[HP] display acl all

If the HP FlexFabric Switch is not configured with ACLs and tcp syn-flood features, this is a finding.

Check pre-defined qos policies that are by default applied to the control plane:

[HP] display qos policy control-plane pre-defined

Check user-defined qos policies:
[HP] display qos policy user-defined

Check Content Reference

M

Target Key

2971

Comments