Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-17830 | NET1001 | SV-19319r1_rule | Medium |
Description |
---|
The management network must still have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the managed network’s premise equipment. It there is a firewall located behind the premise router, then all management traffic should be blocked at that point—with the exception of management traffic destined to premise equipment. |
STIG | Date |
---|---|
Firewall Security Technical Implementation Guide - Cisco | 2017-03-02 |
Check Text ( C-20268r1_chk ) |
---|
With the exception of management traffic destined to premise equipment, a firewall located behind the premise router must be configured to block all outbound management traffic. Step 1: Review the firewall configuration to verify that it is blocking all outbound management traffic as shown in the example configuration below: Cisco PIX interface GigabitEthernet0 nameif outside security-level 0 ip address 172.20.3.2 255.255.255.240 interface GigabitEthernet1 nameif inside security-level 100 ip address 192.168.1.2 255.255.255.0 interface Ethernet0/2 nameif DMZ security-level 50 ip address 172.20.2.1 255.255.255.0 By default, traffic from an interface with a lower security level can’t egress an interface with a higher security level. However, traffic is allowed to flow from a higher-security interface to a lower-security interface. Hence, if the interface to the managed network is at a higher security level than the interface connecting the WAN backbone (i.e. NIPRNet) or the Internet, management traffic originated from this network could leak out. Verify that there is an egress ACL bound to the outside interface to ensure management traffic from the private network or DMZ is blocked. access-group outside_out interface outside access-list outside_out deny ip any 10.0.0.0 255.255.255.0 log access-list outside_out permit ip any any Note: Access lists can be defined for PIX/ASA using the familiar IOS software ACL format. However, one important difference exists between the PIX/ASA and IOS ACL formats: PIXs use real subnet masks (a 1 bit matches, and a 0 bit ignores), whereas IOS platforms use a wildcard mask (a 0 bit matches, and a 1 bit ignores). Step 2: Verify that routing has been configured to ensure all traffic destined to the management network is forwarded to the next hop router connected to its inside interface. route outside 0.0.0.0 0.0.0.0 172.20.3.1 1 route inside 10.0.0.0 255.0.0.0 192.168.1.1 1 route inside 192.168.2.0 255.255.255.0 192.168.1.1 1 |
Fix Text (F-17747r2_fix) |
---|
With the exception of management traffic destined to perimeter equipment, a firewall located behind the premise router must be configured to block all outbound management traffic. |