Free DISA STIG and SRG Library | Vaulted

V-17817

Traffic from the managed network is able to access the OOBM gateway router

Finding ID
NET0987
Rule ID
SV-19301r1_rule19301r2_rule
Severity
Cat II
CCE
(None)
Group Title
Managed network has access to OOBM gateway router
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. It is imperative that hosts from the managed network are not able to access the OOBM gateway rouiterrouter.

Fix Text

Ensure that traffic from the managed network is not able to access the OOBM gateway router using either receive path or interface ingress ACLs.

Check Content

Review the ACL or filters for the router’s receive path and verify that only traffic sourced from the management network is allowed to access the router. This would include both management and control plane traffic. Step 1: Verify that the global ip receive acl statement has been configured as shown in the following example: ip receive acl 199 Note: The IOS IP Receive ACL feature provides filtering capability for traffic that is destined for the router. The IP Receive ACL filtering occurs after any input ACL bound to the ingress interface. On distributed platforms (i.e., 12000 series), the IP receive ACL filters traffic on the distributed line cards before packets are received by the route processor; thereby preventing the flood from degrading the performance of the route processor. Step 2: Determine the address block of the management network at the NOC. In the example configuration below, the 10.2.2.0/24 is the management network at the NOC. Step 3: Verify that the ACL referenced by the ip receive acl statement restricts all management plane traffic to the validated network management address block at the NOC. Management traffic can include telnet, SSH, SNMP, TACACS, RADIUS, TFTP, FTP, and ICMP. Control plane traffic from OOBM backbone neighbors should also be allowed to access the router. The ACL configuration should look similar to the following: access-list 199 deny ip any any fragments access-list 199 permit ospf 10.1.20.0 0.0.0.255 any access-list 199 permit tcp 10.2.2.0 0.0.0.255 any eq ssh access-list 199 permit udp host 10.2.2.24 any eq snmp access-list 199 permit udp host 10.2.2.25 any eq snmp access-list 199 permit udp host 10.2.2.26 any eq ntp access-list 199 permit udp host 10.2.2.27 any eq ntp access-list 199 permit tcp host 10.2.2.30 eq tacacs any gt 1023 established access-list 199 permit tcp host 10.2.2.77 eq ftp any gt 1023 established access-list 199 permit tcp host 10.2.2.77 gt 1024 any eq ftp-data access-list 199 permit icmp 10.2.2.0 0.0.0.255 any access-list 199 deny ip any any log In the example above, the OSPF neighbors would be adjacencies with the OOBM backbone network 10.1.20.0/24. If the platform does not support the receive path filter, then verify that all non-OOBM interfaces have an ingress ACL to restrict access to that interface address or any of the router’s loopback addresses to only traffic sourced from the management network. Exception would be to allow packets destined to these interfaces used for troubleshooting such as ping and traceroute.

Responsibility

System Administrator