A secure out-of-band (OOB) network must be used for management of Infoblox Grid Members.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-233882 | IDNS-8X-400024 | SV-233882r621666_rule | High |
| Description |
|---|
| The Infoblox Grid Master is the central point of management within an Infoblox Grid. The Grid Master retains a full copy of the configuration used for the entire Grid. The Grid Master must communicate to Grid Members using their Management port connected to an OOB network that clients cannot access. |
| STIG | Date |
|---|---|
| Infoblox 8.x DNS Security Technical Implementation Guide | 2021-01-11 |
Details
| Check Text ( C-37067r611166_chk ) |
|---|
| Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Grid >> Grid Manager >> Members tab. 2. Review the Grid Master network configuration and verify placement on an OOB network. 3. Review services enabled on the Grid Master and verify that no client services are enabled. 4. The only acceptable service allowed is DNS when the Grid uses DNSSEC signed zones. The Grid Master must have DNS enabled to sign DNSSEC zones. If DNSSEC is enabled, verify that the Grid Master is marked as "Stealth" for any zone. If an Infoblox Grid Member does not use the MGMT port for configuration through an OOB connection, this is a finding. |
| Fix Text (F-37032r611167_fix) |
|---|
| 1. Navigate to Grid >> Grid Manager >> Members tab. 2. Edit each member and configure the MGMT port on the "Network" tab and enable VPN over MGMT on the "Advanced" portion of the "Network" tab. 3. Grid Masters and Grid Master candidates use the LAN1 port for communication and should not allow any direct client access. |