STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 4 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

SDN Using NV Security Technical Implementation Guide

Version

V1R2

Release Date

Mar 1, 2017

SCAP Benchmark ID

SDN_NV_STIG

Total Checks

26

Tags

other

CAT I: 5CAT II: 12CAT III: 9

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (26)

V-73073HIGHSouthbound API control plane traffic between the SDN controller and SDN-enabled network elements must be mutually authenticated using a FIPS-approved message authentication code algorithm.V-73075HIGHNorthbound API traffic received by the SDN controller must be authenticated using a FIPS-approved message authentication code algorithm.V-73077MEDIUMAccess to the SDN management and orchestration systems must be authenticated using a FIPS-approved message authentication code algorithm.V-73079HIGHSouthbound API control plane traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.V-73081HIGHNorthbound API traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.V-73083MEDIUMSouthbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must be authenticated using a FIPS-approved message authentication code algorithm.V-73085MEDIUMSouthbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must traverse an out-of-band path or be encrypted using a using a FIPS-validated cryptographic module.V-73087MEDIUMSouthbound API management plane traffic for configuring SDN parameters on physical network elements must be authenticated using DOD PKI certificate-based authentication.V-73089MEDIUMSouthbound API management plane traffic for configuring SDN parameters on physical network elements must be encrypted using a FIPS-validated cryptographic module.V-73091MEDIUMPhysical SDN controllers and servers hosting SDN applications must reside within the management network with multiple paths that are secured by a firewall to inspect all ingress traffic.V-73093LOWSDN-enabled routers and switches must provide link state information to the SDN controller to create new forwarding decisions for the network elements.V-73095LOWQuality of service (QoS) must be implemented on the underlying IP network to provide preferred treatment for traffic between the SDN controllers and SDN-enabled switches and hypervisors.V-73097MEDIUMSDN controllers must be deployed as clusters and on separate physical hosts to eliminate single point of failure.V-73099LOWPhysical devices hosting an SDN controller must be connected to two switches for high-availability.V-73101LOWSDN-enabled routers and switches must rate limit the amount of unknown data plane packets that are punted to the SDN controller.V-73103MEDIUMServers hosting SDN controllers must have logging enabled.V-73105MEDIUMServers hosting SDN controllers must have an HIDS implemented to detect unauthorized changes.V-73107MEDIUMAll Virtual Extensible Local Area Network (VXLAN) enabled switches must be configured with the appropriate VXLAN network identifier (VNI) to ensure VMs can send and receive all associated traffic for their Layer 2 domain.V-73109MEDIUMVirtual Extensible Local Area Network (VXLAN) identifiers must be mapped to the appropriate VLAN identifiers.V-73111MEDIUMThe proper multicast group for each Virtual Extensible Local Area Network (VXLAN) identifier must be mapped to the appropriate virtual tunnel endpoint (VTEP) so the VTEP will join the associated multicast groups.V-73113LOWThe virtual tunnel endpoint (VTEP) must be dual-homed to two physical network nodes.V-73115LOWA secondary IP address must be specified for the virtual tunnel endpoint (VTEP) loopback interface when Virtual Extensible Local Area Network (VXLAN) enabled switches are deployed as a multi-chassis configuration.V-73117LOWTwo or more edge gateways must be deployed connecting the network virtualization platform (NVP) and the physical network.V-73119LOWVirtual edge gateways must be deployed across multiple hypervisor hosts.V-73121LOWThe virtual edge gateways must be deployed with routing adjacencies established with two or more physical routers.V-73122HIGHThe SDN-NV system must be a version supported by the vendor.