The SDN controller must be configured to enforce a Quality-of-Service (QoS) policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack.

From SDN Controller Security Requirements Guide

Part of SRG-NET-000193-SDN-000285

Associated with: CCI-001095

SRG-NET-000193-SDN-000285_rule The SDN controller must be configured to enforce a Quality-of-Service (QoS) policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack.

Vulnerability discussion

Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a policy.Packet markings such as IP Precedence and its successor, Differentiated Services Code Points (DSCP), were defined along with specific per-hop behaviors for key traffic types to enable a scalable QoS solution. DiffServ QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification.Dynamic QoS through software-defined networking introduces flexibility and agility to normally static policies. SDN helps automate the process as it intelligently and dynamically prioritizes traffic based on current business requirements and network congestion. It is imperative that the SDN controller enforces an end-to-end QoS policy to provide preferred treatment for mission-critical applications, manage network congestion, as well as limit the effect of any packet-flooding DoS attack.

Check content

Review the SDN controller configuration to verify that it is configured to enforce a QoS policy. The QoS implementation could be driven by a service application via the northbound API that contains the policy and classification mapping. If the SDN controller is not configured to enforce a QoS policy to manage bandwidth and limit the effect of a packet-flooding DoS attack, this is a finding.

Fix text

Configure the SDN controller to enforce a QoS policy. This can be implemented via northbound API from a service application containing the policy and classification mappings.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer