UCF STIG Viewer Logo

A firewall located behind the premise router must be configured to block all outbound management traffic.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17830 NET1001 SV-19319r1_rule Medium
Description
The management network must still have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the managed network’s premise equipment. It there is a firewall located behind the premise router, then all management traffic should be blocked at that point—with the exception of management traffic destined to premise equipment.
STIG Date
Firewall Security Technical Implementation Guide - Cisco 2017-12-07

Details

Check Text ( C-20268r1_chk )
With the exception of management traffic destined to premise equipment, a firewall located behind the premise router must be configured to block all outbound management traffic.

Step 1: Review the firewall configuration to verify that it is blocking all outbound management traffic as shown in the example configuration below:

Cisco PIX

interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.20.3.2 255.255.255.240
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.20.2.1 255.255.255.0

By default, traffic from an interface with a lower security level can’t egress an interface with a higher security level. However, traffic is allowed to flow from a higher-security interface to a lower-security interface. Hence, if the interface to the managed network is at a higher security level than the interface connecting the WAN backbone (i.e. NIPRNet) or the Internet, management traffic originated from this network could leak out. Verify that there is an egress ACL bound to the outside interface to ensure management traffic from the private network or DMZ is blocked.

access-group outside_out interface outside
access-list outside_out deny ip any 10.0.0.0 255.255.255.0 log
access-list outside_out permit ip any any

Note: Access lists can be defined for PIX/ASA using the familiar IOS software ACL format. However, one important difference exists between the PIX/ASA and IOS ACL formats: PIXs use real subnet masks (a 1 bit matches, and a 0 bit ignores), whereas IOS platforms use a wildcard mask (a 0 bit matches, and a 1 bit ignores).

Step 2: Verify that routing has been configured to ensure all traffic destined to the management network is forwarded to the next hop router connected to its inside interface.

route outside 0.0.0.0 0.0.0.0 172.20.3.1 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1

Fix Text (F-17747r2_fix)
With the exception of management traffic destined to perimeter equipment, a firewall located behind the premise router must be configured to block all outbound management traffic.