The firewall implementation must route all management traffic through a dedicated management interface.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000198-FW-000122	SRG-NET-000198-FW-000122	SRG-NET-000198-FW-000122_rule		Medium

Description
Although the firewall is not responsible for routing all network management traffic to the management network, it must route all outgoing communications through the OOBM interface. If management traffic is allowed onto the user network segments, privileged information may be intercepted by non-privileged users which could lead to the compromise of network devices. The firewall is installed in stealth mode with one interface installed on the management network. This interface is used for communications with the firewall and other network elements. If in-band management is required because of mission requirements, a dedicated IP address for the remote management client, as well as traffic encryption is required.

Description

Although the firewall is not responsible for routing all network management traffic to the management network, it must route all outgoing communications through the OOBM interface. If management traffic is allowed onto the user network segments, privileged information may be intercepted by non-privileged users which could lead to the compromise of network devices. The firewall is installed in stealth mode with one interface installed on the management network. This interface is used for communications with the firewall and other network elements. If in-band management is required because of mission requirements, a dedicated IP address for the remote management client, as well as traffic encryption is required.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000198-FW-000122_chk )
Verify the OOBM interface on the firewall is configured with an IP address from the address space belonging to the OOBM network. After determining which interface is connected to the OOBM access switch, review the managed device configuration. Verify the interface has been assigned an address from the local management address block. If management traffic is not directed through a dedicated management interface for purposes of access control and auditing, this is a finding.

Check Text ( C-SRG-NET-000198-FW-000122_chk )

Verify the OOBM interface on the firewall is configured with an IP address from the address space belonging to the OOBM network.
After determining which interface is connected to the OOBM access switch, review the managed device configuration.
Verify the interface has been assigned an address from the local management address block.

If management traffic is not directed through a dedicated management interface for purposes of access control and auditing, this is a finding.

Fix Text (F-SRG-NET-000198-FW-000122_fix)
Configure the firewall implementation's OOBM interface with an IP address from the address space belonging to the OOBM network.