Traffic entering the tunnels is not restricted to only the authorized management packets based on destination address.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17835	NET1006	SV-19312r1_rule		Medium

Description
Similar to the OOBM model, when the production network is managed in-band, the management network could also be housed at a NOC that is located locally or remotely at a single or multiple interconnected sites. NOC interconnectivity as well as connectivity between the NOC and the managed networks’ premise routers would be enabled using either provisioned circuits or VPN technologies such as IPSec tunnels or MPLS VPN services.

Description

Similar to the OOBM model, when the production network is managed in-band, the management network could also be housed at a NOC that is located locally or remotely at a single or multiple interconnected sites. NOC interconnectivity as well as connectivity between the NOC and the managed networks’ premise routers would be enabled using either provisioned circuits or VPN technologies such as IPSec tunnels or MPLS VPN services.

STIG	Date
Firewall Security Technical Implementation Guide - Cisco	2017-12-07

Details

Check Text ( C-20261r1_chk )
Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation. In the configuration examples, 10.2.2.0/24 is the management network at the NOC and 192.168.1.0/24 is address space used at the network being managed (i.e., the enclave). When the AS PIC receives traffic on the inside interface associated with a service set, the AS PIC applies the configured Layer 3 services and then forwards the packet back to the router through the outside interface. Likewise, when the AS PIC receives traffic on the outside interface associated with a service set, it forwards the packet back to the router through the inside interface after applying the configured Layer 3 services. hostname VPN-Gateway1 ! interface Ethernet0/0 nameif Outside security-level 0 ip address 19.16.1.254 255.255.255.252 ! interface Ethernet0/1 nameif Inside security-level 100 ip address 192.168.1.15 255.255.255.0 ! isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map Outside_map ipsec-isakmp crypto map Outside_map 20 match address 101 crypto map Outside_map 20 set peer 19.16.2.254 crypto map Outside_map 20 set transform-set ESP-3DES-SHA crypto map Outside_map interface Outside ! isakmp key ***** 19.16.2.254 netmask 255.255.255.255 isakmp enable Outside ! access-list 101 permit ip any 10.2.2.0 255.255.255.0 sysopt connection permit-ipsec Note: Access lists can be defined for PIX/ASA using the familiar IOS software ACL format. However, one important difference exists between the PIX/ASA and IOS ACL formats: PIXs use real subnet masks (a 1 bit matches, and a 0 bit ignores), whereas IOS platforms use a wildcard mask (a 0 bit matches, and a 1 bit ignores).

Check Text ( C-20261r1_chk )

Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation. In the configuration examples, 10.2.2.0/24 is the management network at the NOC and 192.168.1.0/24 is address space used at the network being managed (i.e., the enclave). When the AS PIC receives traffic on the inside interface associated with a service set, the AS PIC applies the configured Layer 3 services and then forwards the packet back to the router through the outside interface. Likewise, when the AS PIC receives traffic on the outside interface associated with a service set, it forwards the packet back to the router through the inside interface after applying the configured Layer 3 services.

hostname VPN-Gateway1
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 19.16.1.254 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.15 255.255.255.0
!
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map ipsec-isakmp
crypto map Outside_map 20 match address 101
crypto map Outside_map 20 set peer 19.16.2.254
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
!
isakmp key ***** 19.16.2.254 netmask 255.255.255.255
isakmp enable Outside
!
access-list 101 permit ip any 10.2.2.0 255.255.255.0
sysopt connection permit-ipsec

Note: Access lists can be defined for PIX/ASA using the familiar IOS software ACL format. However, one important difference exists between the PIX/ASA and IOS ACL formats: PIXs use real subnet masks (a 1 bit matches, and a 0 bit ignores), whereas IOS platforms use a wildcard mask (a 0 bit matches, and a 1 bit ignores).

Fix Text (F-17752r1_fix)
Where IPSec technology is deployed to connect the managed network to the NOC, it is imperative that the traffic entering the tunnels is restricted to only the authorized management packets based on destination address.