UCF STIG Viewer Logo

Traffic from the managed network is able to access the OOBM gateway router


Overview

Finding ID Version Rule ID IA Controls Severity
V-17817 NET0987 SV-19301r1_rule Medium
Description
If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. It is imperative that hosts from the managed network are not able to access the OOBM gateway rouiter.
STIG Date
Infrastructure L3 Switch - Cisco Security Technical Implementation Guide 2017-09-28

Details

Check Text ( C-20202r1_chk )
Review the ACL or filters for the router’s receive path and verify that only traffic sourced from the management network is allowed to access the router. This would include both management and control plane traffic.

Step 1: Verify that the global ip receive acl statement has been configured as shown in the following example:

ip receive acl 199

Note: The IOS IP Receive ACL feature provides filtering capability for traffic that is destined for the router. The IP Receive ACL filtering occurs after any input ACL bound to the ingress interface. On distributed platforms (i.e., 12000 series), the IP receive ACL filters traffic on the distributed line cards before packets are received by the route processor; thereby preventing the flood from degrading the performance of the route processor.

Step 2: Determine the address block of the management network at the NOC. In the example configuration below, the 10.2.2.0/24 is the management network at the NOC.

Step 3: Verify that the ACL referenced by the ip receive acl statement restricts all management plane traffic to the validated network management address block at the NOC. Management traffic can include telnet, SSH, SNMP, TACACS, RADIUS, TFTP, FTP, and ICMP. Control plane traffic from OOBM backbone neighbors should also be allowed to access the router. The ACL configuration should look similar to the following:

access-list 199 deny ip any any fragments
access-list 199 permit ospf 10.1.20.0 0.0.0.255 any
access-list 199 permit tcp 10.2.2.0 0.0.0.255 any eq ssh
access-list 199 permit udp host 10.2.2.24 any eq snmp
access-list 199 permit udp host 10.2.2.25 any eq snmp
access-list 199 permit udp host 10.2.2.26 any eq ntp
access-list 199 permit udp host 10.2.2.27 any eq ntp
access-list 199 permit tcp host 10.2.2.30 eq tacacs any gt 1023 established
access-list 199 permit tcp host 10.2.2.77 eq ftp any gt 1023 established
access-list 199 permit tcp host 10.2.2.77 gt 1024 any eq ftp-data
access-list 199 permit icmp 10.2.2.0 0.0.0.255 any
access-list 199 deny ip any any log

In the example above, the OSPF neighbors would be adjacencies with the OOBM backbone network 10.1.20.0/24.

If the platform does not support the receive path filter, then verify that all non-OOBM interfaces have an ingress ACL to restrict access to that interface address or any of the router’s loopback addresses to only traffic sourced from the management network. Exception would be to allow packets destined to these interfaces used for troubleshooting such as ping and traceroute.

Fix Text (F-17732r1_fix)
Ensure that traffic from the managed network is not able to access the OOBM gateway router using either receive path or interface ingress ACLs.