OAM&P / NM and CTI networks are NOT dedicated to the system that they serve in accordance with their separate DSN APL certifications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-8545	DSN04.07	SV-9042r1_rule	DCID-1 DCPA-1 EBCR-1 ECSC-1	Medium

Description
Requirement: The IAO will ensure that out-of-band OAM&P / NM and CTI networks are dedicated to the system that they serve in accordance with their separate DSN APL certifications. CTI networks may be combined taking into consideration the vulnerabilities of each system and with documented local DAA approval. > OAM&P/NM and CTI terminals must connect to the switch by using either a direct connection to the system administration port or through a dedicated, out of band network. Connections other than these, for example through a non-dedicated network connection, will introduce security risks. > The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection. > OAM&P/NM and CTI solutions are tested and approved for DSN APL listing based on a dedicated / OOB network for each solution. In keeping with the requirement that APL solutions be implemented in the same configuration as was tested, these systems must be implemented on a dedicated LAN for each solution. This is because there is no way of knowing what security risks will result from merging different solutions on a single LAN without testing the specific combination. One solution could affect the security of the other.

Description

Requirement: The IAO will ensure that out-of-band OAM&P / NM and CTI networks are dedicated to the system that they serve in accordance with their separate DSN APL certifications. CTI networks may be combined taking into consideration the vulnerabilities of each system and with documented local DAA approval. > OAM&P/NM and CTI terminals must connect to the switch by using either a direct connection to the system administration port or through a dedicated, out of band network. Connections other than these, for example through a non-dedicated network connection, will introduce security risks. > The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection. > OAM&P/NM and CTI solutions are tested and approved for DSN APL listing based on a dedicated / OOB network for each solution. In keeping with the requirement that APL solutions be implemented in the same configuration as was tested, these systems must be implemented on a dedicated LAN for each solution. This is because there is no way of knowing what security risks will result from merging different solutions on a single LAN without testing the specific combination. One solution could affect the security of the other.

STIG	Date
Defense Switched Network STIG	2015-01-02

Details

Check Text ( C-7372r1_chk )
Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix Text (F-7968r1_fix)
Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.