Free DISA STIG and SRG Library | Vaulted

V-17822

The management interface is not configured with both an ingress and egress ACL.

Finding ID
NET0992
Rule ID
SV-20208r1_rule
Severity
Cat II
CCE
(None)
Group Title
The management interface does not have an ACL.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network

Fix Text

If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.

Check Content

Step 1: Verify that the managed interface has an inbound and outbound ACL configured as shown in the following example: interface FastEthernet1/1 description Enclave_Management_LAN ip address 10.1.1.22 255.255.255.0 ip access-group 100 in ip access-group 101 out Step 2: Verify that the ingress ACL blocks all transit traffic—that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. In the example the management network at the NOC is 10.2.2.0/24. access-list 100 permit ip 10.2.2.0 0.0.0.255 host 10.1.1.22 access-list 100 deny ip any any log Note that the destination used by any host within the management network to access the managed elements must be via the management interface. The loopback should not be a valid address since these prefixes would not be advertised into the management network IGP domain. This could only be possible if the managed network Elements: had an IGP adjacency with the managed network, which should not be the case. Step 3: Verify that the egress ACL blocks any traffic not originated by the managed element access-list 101 deny ip any any log Cisco router-generated packets are not inspected by outgoing access-lists. Hence, the above configuration would simply drop any packets not generated by the router itself and allow all local traffic. To filter local traffic, IOS provides a feature called local policy routing, which enables the administrator to apply a route-map to any local router-generated traffic. To prohibit outgoing traffic from the local router to any destination other than the NOC, the a configuration such as the following could be used: ! Do not drop traffic destined to 10.2.2.0/24. Hence, do not include it in ! the local policy route map, but include all other destinations. ! ip access-list extended BLOCK_INVALID_DEST deny ip any 10.2.2.0 0.0.0.255 permit ip any any ! route-map LOCAL_POLICY 10 match ip address BLOCK_INVALID_DEST set interface Null 0 ! ip local policy route-map LOCAL_POLICY Alternative Solution: The IOS Management Plane Protection Feature Cisco introduced the Management Plane Protection (MPP) feature with IOS 12.4(6)T which allows any physical in-band interface to be dedicated for OOB management. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Management traffic is permitted to enter a device only through these management interfaces. All of the other in-band interfaces not enabled for MPP will automatically drop all ingress packets associated with any of the supported MPP protocols (FTP, HTTP, HTTPS, SCP, SSH, SNMP, Telnet, and TFTP). Hence, after MPP is enabled, no interfaces except management interfaces will accept network management traffic destined to the device. This feature also provides the capability to restrict which management protocols are allowed. This feature does not change the behavior of the console, auxiliary, and management Ethernet interfaces. The following configuration example depicts FastEthernet1/1 as being the designated management interface that will only allow ssh and snmp traffic. control-plane host management-interface FastEthernet1/1 allow ssh snmp ! interface FastEthernet1/1 description Enclave_Management_LAN ip address 10.1.1.22 255.255.255.0

Responsibility

System Administrator