Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
SRG-NET-000198-IDPS-000205 | SRG-NET-000198-IDPS-000205 | SRG-NET-000198-IDPS-000205_rule | Medium |
Description |
---|
Implementing out of band (OOB) management for the IDPS is the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management; thereby providing traffic separation that will increase security for all network management activities. The management network should have a direct connection to the management interface of the sensors and management console. Where this is not possible, the OOB management traffic can traverse over a transient IP backbone via private encrypted tunnel. Regardless of transport, all management traffic received by the managed IDPS must be received by a dedicated management interface connected to the OOBM network. If management traffic is allowed onto the user network segments, privileged information may be intercepted by non-privileged users which could lead to the compromise of network devices. IDPS sensors are installed in stealth mode with one interface installed on the management network. This interface is used for communications with the management console and other network elements. The management console is installed on the management network. |
STIG | Date |
---|---|
IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Check Text ( C-43364_chk ) |
---|
Verify the OOBM interface for all sensors is configured with an IP address from the address space belonging to the OOBM network. After determining which interface is connected to the OOBM access switch, review the managed device configuration. Verify the interface has been assigned an address from the local management address block. If management traffic is not directed through a dedicated management interface for purposes of access control and auditing, this is a finding. |
Fix Text (F-43364_fix) |
---|
Configure the IDPS's OOBM interface with an IP address from the address space belonging to the OOBM network. |