UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall must restrict traffic entering the VPN tunnels to the management network to only the authorized management packets based on destination address.


Overview

Finding ID Version Rule ID IA Controls Severity
V-206708 SRG-NET-000364-FW-000036 SV-206708r855868_rule Medium
Description
Protect the management network with a filtering firewall configured to block unauthorized traffic. This requirement is similar to the out-of-band management (OOBM) model, when the production network is managed in-band. The management network could also be housed at a Network Operations Center (NOC) that is located locally or remotely at a single or multiple interconnected sites. NOC interconnectivity, as well as connectivity between the NOC and the managed networks’ premise routers, would be enabled using either provisioned circuits or VPN technologies such as IPsec tunnels or MPLS VPN services.
STIG Date
Firewall Security Requirements Guide 2024-05-28

Details

Check Text ( C-6965r297903_chk )
Inspect the architecture diagrams. Inspect the NOC and the managed network. Note that the IPsec tunnel endpoints may be configured on the premise or gateway router, the VPN gateway firewall, or a VPN concentrator.

Verify that all traffic between the managed network and management network and vice-versa is secured via IPsec encapsulation.

If the firewall does not restrict traffic entering the VPN tunnels to the management network to only the authorized management packets based on destination address, this is a finding.
Fix Text (F-6965r297904_fix)
Where IPsec technology is deployed to connect the managed network to the NOC, restrict the traffic entering the tunnels so that only the authorized management packets with authorized destination addresses are permitted.