The SDN controller must be configured to enable multi-tenant virtual networks to be fully isolated from one another.

From SDN Controller Security Requirements Guide

Part of SRG-NET-000512

Associated with: CCI-000366

SV-95509r1_rule The SDN controller must be configured to enable multi-tenant virtual networks to be fully isolated from one another.

Vulnerability discussion

Network-as-a-Service (NaaS) is often implemented in a multi-tenant paradigm, where customers share network infrastructure and services while they are logically isolated from each other. SDN provides an approach to the orchestration and provisioning of virtual network services by the owners of the network infrastructures. This leads to various multi-tenancy deployments: on different layers, for different purposes, using different techniques—each of which provides different levels of control while requiring different types of isolation among users. For instance, implementation can be a southbound multi-tenancy with several guest controllers sharing the same data forwarding elements, or a northbound multi-tenancy with several guest applications sharing the entire SDN infrastructure including the SDN controller. Regardless of the implementation, it is imperative that the controller provides the necessary isolation and separation.

Check content

Review the SDN controller configuration to determine if it is configured to deploy dedicated instances of virtual networks and separate forwarding tables to the provisioned network elements belonging to each tenant. If the SDN Controller is not configured to enable multi-tenant virtual networks to be fully isolated from one another, this is a finding.

Fix text

Configure the SDN controller to deploy dedicated instances of virtual networks and separate forwarding tables to the provisioned network elements belonging to each tenant.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer