| Checked | Name | Title |
|---|
| ☐ | SV-87725r1_rule | Southbound API control plane traffic between the SDN controller and SDN-enabled network elements must be mutually authenticated using a FIPS-approved message authentication code algorithm. |
| ☐ | SV-87727r1_rule | Northbound API traffic received by the SDN controller must be authenticated using a FIPS-approved message authentication code algorithm. |
| ☐ | SV-87729r1_rule | Access to the SDN management and orchestration systems must be authenticated using a FIPS-approved message authentication code algorithm. |
| ☐ | SV-87731r1_rule | Southbound API control plane traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module. |
| ☐ | SV-87733r1_rule | Northbound API traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module. |
| ☐ | SV-87735r1_rule | Southbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must be authenticated using a FIPS-approved message authentication code algorithm. |
| ☐ | SV-87737r1_rule | Southbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must traverse an out-of-band path or be encrypted using a using a FIPS-validated cryptographic module. |
| ☐ | SV-87739r1_rule | Southbound API management plane traffic for configuring SDN parameters on physical network elements must be authenticated using DOD PKI certificate-based authentication. |
| ☐ | SV-87741r1_rule | Southbound API management plane traffic for configuring SDN parameters on physical network elements must be encrypted using a FIPS-validated cryptographic module. |
| ☐ | SV-87743r1_rule | Physical SDN controllers and servers hosting SDN applications must reside within the management network with multiple paths that are secured by a firewall to inspect all ingress traffic. |
| ☐ | SV-87745r1_rule | SDN-enabled routers and switches must provide link state information to the SDN controller to create new forwarding decisions for the network elements. |
| ☐ | SV-87747r1_rule | Quality of service (QoS) must be implemented on the underlying IP network to provide preferred treatment for traffic between the SDN controllers and SDN-enabled switches and hypervisors. |
| ☐ | SV-87749r1_rule | SDN controllers must be deployed as clusters and on separate physical hosts to eliminate single point of failure. |
| ☐ | SV-87751r1_rule | Physical devices hosting an SDN controller must be connected to two switches for high-availability. |
| ☐ | SV-87753r1_rule | SDN-enabled routers and switches must rate limit the amount of unknown data plane packets that are punted to the SDN controller. |
| ☐ | SV-87755r1_rule | Servers hosting SDN controllers must have logging enabled. |
| ☐ | SV-87757r1_rule | Servers hosting SDN controllers must have an HIDS implemented to detect unauthorized changes. |
| ☐ | SV-87759r1_rule | All Virtual Extensible Local Area Network (VXLAN) enabled switches must be configured with the appropriate VXLAN network identifier (VNI) to ensure VMs can send and receive all associated traffic for their Layer 2 domain. |
| ☐ | SV-87761r1_rule | Virtual Extensible Local Area Network (VXLAN) identifiers must be mapped to the appropriate VLAN identifiers. |
| ☐ | SV-87763r1_rule | The proper multicast group for each Virtual Extensible Local Area Network (VXLAN) identifier must be mapped to the appropriate virtual tunnel endpoint (VTEP) so the VTEP will join the associated multicast groups. |
| ☐ | SV-87765r1_rule | The virtual tunnel endpoint (VTEP) must be dual-homed to two physical network nodes. |
| ☐ | SV-87767r1_rule | A secondary IP address must be specified for the virtual tunnel endpoint (VTEP) loopback interface when Virtual Extensible Local Area Network (VXLAN) enabled switches are deployed as a multi-chassis configuration. |
| ☐ | SV-87769r1_rule | Two or more edge gateways must be deployed connecting the network virtualization platform (NVP) and the physical network. |
| ☐ | SV-87771r1_rule | Virtual edge gateways must be deployed across multiple hypervisor hosts. |
| ☐ | SV-87773r1_rule | The virtual edge gateways must be deployed with routing adjacencies established with two or more physical routers. |
STIGQter: STIG Summary: