The IDPS must prevent the exposure of network management traffic onto a user or production network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000183-IDPS-000186	SRG-NET-000183-IDPS-000186	SRG-NET-000183-IDPS-000186_rule		Medium

Description
Network management is the process of monitoring the IDPS and links, configuring the IDPS to turn up and disable network services, the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. From an architectural perspective, implementing out of band (OOB) management for the IDPS is a best practice and the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management and thereby provide traffic separation to increase security for all network management activities. If management traffic traverses the user network, privileged information could be leaked to unauthorized users. The IDPS is not a subnetting device; however, sensor can be placed to monitor each subnet for possible leaks between the user production network and the management network to provide added assurance for traffic separation.

Description

Network management is the process of monitoring the IDPS and links, configuring the IDPS to turn up and disable network services, the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. From an architectural perspective, implementing out of band (OOB) management for the IDPS is a best practice and the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management and thereby provide traffic separation to increase security for all network management activities. If management traffic traverses the user network, privileged information could be leaked to unauthorized users. The IDPS is not a subnetting device; however, sensor can be placed to monitor each subnet for possible leaks between the user production network and the management network to provide added assurance for traffic separation.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43332_chk )
Verify a rule has been created to monitor traffic from the network management network. Verify the rule either sends an alert or blocks traffic that is destined for the user network or other unauthorized network segments. If a rule does not exist to prevent network management traffic from traversing the user production network, this is a finding.

Fix Text (F-43332_fix)
Create a rule to monitor and block management traffic from traversing the user production network.