7.9 Ensure that management plane traffic is separated from data plane traffic

Information

You should separate management plane traffic from data plane traffic.

Rationale:

Separating management plane traffic from data plane traffic ensures that these types of traffic are segregated from each other. These traffic flows can then be individually monitored and tied to different traffic control policies and monitoring. This also ensures that the management plane is always reachable even if there is a great deal of traffic on the data plane.

Impact:

This requires two network interfaces per node.

Solution

You should initialize the swarm with dedicated interfaces for management and data planes respectively.
For example,

docker swarm init --advertise-addr=192.168.0.1 --data-path-addr=17.1.0.3

Default Value:

By default, data plane traffic is not separated from management plane traffic.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, CSCv7|14.1

Plugin: Unix

Control ID: 029fa78e4a871aade90b6d4094c40c90ef59d2086f0d64efd5bc6662f6f474c4