Free DISA STIG and SRG Library | Vaulted

V-17835

Traffic entering the tunnels is not restricted to only the authorized management packets based on destination address.

Finding ID
NET1006
Rule ID
SV-19310r1_rule
Severity
Cat II
CCE
(None)
Group Title
IPSec traffic is not restricted
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Similar to the OOBM model, when the production network is managed in-band, the management network could also be housed at a NOC that is located locally or remotely at a single or multiple interconnected sites. NOC interconnectivity as well as connectivity between the NOC and the managed networks’ premise routers would be enabled using either provisioned circuits or VPN technologies such as IPSec tunnels or MPLS VPN services.

Fix Text

Where IPSec technology is deployed to connect the managed network to the NOC, it is imperative that the traffic entering the tunnels is restricted to only the authorized management packets based on destination address.

Check Content

Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation. In the configuration examples, 10.2.2.0/24 is the management network at the NOC and 192.168.1.0/24 is address space used at the network being managed (i.e., the enclave). For Cisco router, the access-list referenced by the crypto map must have the source and destination addresses belonging to the management network address space at the enclave and NOC respectively. hostname Premrouter ! interface Serial1/0 ip address 19.16.1.1 255.255.255.0 description NIPRNet_Link crypto map myvpn interface Fastethernet 0/0 description Enclave_Management_LAN ip address 192.168.1.1 255.255.255.0 ! crypto isakmp policy 1 authentication pre-share lifetime 84600 crypto isakmp key ******* address 19.16.2.1 ! crypto ipsec transform-set toNOC esp-des esp-md5-hmac ! crypto map myvpn 10 ipsec-isakmp set peer 19.16.2.1 set transform-set toNOC match address 101 ! access-list 101 permit ip any 10.2.2.0 0.0.0.255

Responsibility

System Administrator