The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221100	CISC-RT-000450	SV-221100r622190_rule		Medium

Description
The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic, thereby providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.

Description

The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic, thereby providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.

STIG	Date
Cisco NX-OS Switch RTR Security Technical Implementation Guide	2021-03-29

Details

Check Text ( C-22815r409789_chk )
This requirement is only applicable where management access to the switch is via an OOBM interface which is not a true OOBM interface. Step 1: Verify that the managed interface has an inbound and outbound ACL configured. interface Ethernet2/7 description link to OOBM access switch no switchport ip address 10.11.1.22 255.255.255.0 ip access-group INGRESS_MANAGEMENT_ACL in ip access-group EGRESS_MANAGEMENT_ACL in Step 2: Verify that the ingress ACL only allows management and ICMP traffic. ip access-list INGRESS_MANAGEMENT_ACL 10 permit tcp any 10.11.1.22/32 eq tacacs 20 permit tcp any 10.11.1.22/32 eq 22 30 permit udp any 10.11.1.22/32 eq snmp 40 permit udp any 10.11.1.22/32 eq snmptrap 50 permit udp any 10.11.1.22/32 eq ntp 60 permit icmp any 10.11.1.22/32 70 deny ip any any log Step 3: Verify that the egress ACL blocks any transit traffic. ip access-list MGMT_TRAFFIC_ACL 10 deny ip any any log Note: On Cisco switches, local generated packets are not inspected by outgoing interface access-lists. Hence, the above configuration would simply drop any packets not generated by the switch; hence, blocking any transit traffic. If the switch does not restrict traffic that ingresses and egresses the management interface, this is a finding.

Check Text ( C-22815r409789_chk )

This requirement is only applicable where management access to the switch is via an OOBM interface which is not a true OOBM interface.

Step 1: Verify that the managed interface has an inbound and outbound ACL configured.

interface Ethernet2/7
description link to OOBM access switch
no switchport
ip address 10.11.1.22 255.255.255.0
ip access-group INGRESS_MANAGEMENT_ACL in
ip access-group EGRESS_MANAGEMENT_ACL in

Step 2: Verify that the ingress ACL only allows management and ICMP traffic.

ip access-list INGRESS_MANAGEMENT_ACL
10 permit tcp any 10.11.1.22/32 eq tacacs
20 permit tcp any 10.11.1.22/32 eq 22
30 permit udp any 10.11.1.22/32 eq snmp
40 permit udp any 10.11.1.22/32 eq snmptrap
50 permit udp any 10.11.1.22/32 eq ntp
60 permit icmp any 10.11.1.22/32
70 deny ip any any log

Step 3: Verify that the egress ACL blocks any transit traffic.

ip access-list MGMT_TRAFFIC_ACL
10 deny ip any any log

Note: On Cisco switches, local generated packets are not inspected by outgoing interface access-lists. Hence, the above configuration would simply drop any packets not generated by the switch; hence, blocking any transit traffic.

If the switch does not restrict traffic that ingresses and egresses the management interface, this is a finding.

Fix Text (F-22804r409790_fix)
If the management interface is not a dedicated OOBM interface, it must be configured with both an ingress and egress ACL. Step 1: Configure an ingress ACL a shown in the example below: SW1(config)#ip access-list INGRESS_MANAGEMENT_ACL SW1(config-acl)# permit tcp any host 10.11.1.22 eq tacacs SW1(config-acl)# permit tcp any host 10.11.1.22 eq 22 SW1(config-acl)# permit udp any host 10.11.1.22 eq snmp SW1(config-acl)# permit udp any host 10.11.1.22 eq snmptrap SW1(config-acl)# permit udp any host 10.11.1.22 eq ntp SW1(config-acl)# permit icmp any host 10.11.1.22 SW1(config-acl)# deny ip any any log SW1(config-acl)# exit Step 2: Configure an egress ACL a shown in the example below: SW1(config)# ip access-list EGRESS_MANAGEMENT_ACL SW1(config-acl)# deny ip any any log SW1(config-acl)# exit Step 3: Apply the ACLs to the OOBM interfaces. SW1(config)#int e2/7 SW1(config-if) ip access-group INGRESS_MANAGEMENT_ACL in SW1(config-if) ip access-group EGRESS_MANAGEMENT_ACL out

Fix Text (F-22804r409790_fix)

If the management interface is not a dedicated OOBM interface, it must be configured with both an ingress and egress ACL.

Step 1: Configure an ingress ACL a shown in the example below:

SW1(config)#ip access-list INGRESS_MANAGEMENT_ACL
SW1(config-acl)# permit tcp any host 10.11.1.22 eq tacacs
SW1(config-acl)# permit tcp any host 10.11.1.22 eq 22
SW1(config-acl)# permit udp any host 10.11.1.22 eq snmp
SW1(config-acl)# permit udp any host 10.11.1.22 eq snmptrap
SW1(config-acl)# permit udp any host 10.11.1.22 eq ntp
SW1(config-acl)# permit icmp any host 10.11.1.22
SW1(config-acl)# deny ip any any log
SW1(config-acl)# exit

Step 2: Configure an egress ACL a shown in the example below:

SW1(config)# ip access-list EGRESS_MANAGEMENT_ACL
SW1(config-acl)# deny ip any any log
SW1(config-acl)# exit

Step 3: Apply the ACLs to the OOBM interfaces.

SW1(config)#int e2/7
SW1(config-if) ip access-group INGRESS_MANAGEMENT_ACL in
SW1(config-if) ip access-group EGRESS_MANAGEMENT_ACL out