IGP instances configured on the OOBM gateway router do not peer only with their appropriate routing domain

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17815	NET0985	SV-19297r1_rule		Medium

Description
If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. Since the managed network and the management network are separate routing domains, separate IGP routing instances must be configured on the router—one for the managed network and one for the OOBM network.

STIG	Date
Infrastructure Router Security Technical Implementation Guide Cisco	2018-11-27

Details

Check Text ( C-20142r1_chk )
Verify that the OOBM interface is an adjacency only in the IGP routing domain for the management network. The following would be an example where EIGRP is run on the management network 10.0.0.0 and OSPF in the managed network 172.20.0.0. The network 10.1.20.0/24 is the OOBM backbone and 10.1.1.0 is the local management LAN connecting to the OOBM interfaces of the managed network (i.e., the private and service network) elements. interface Serial0/0 description to_OOBM_Backbone ip address 10.1.20.3 255.255.255.0 interface Fastethernet 0/0 description Enclave_Management_LAN ip address 10.1.1.1 255.255.255.0 interface Fastethernet 0/1 description to_our_PrivateNet ip address 172.20.4.2 255.255.255.0 interface Fastethernet 0/2 description to_our_ServiceNet ip address 172.20.5.2 255.255.255.0 ! router ospf 1 network 172.20.0.0 ! router eigrp 12 network 10.0.0.0 passive-interface Fastethernet 0/1 Note: the passive-interface command is configured to avoid building an EIGRP adjacency with a managed router, while at the same time, enabling EIGRP to advertise the enclave’s management subnet to the EIGRP neighbors of the management network backbone. If the non-dedicated OOBM gateway and the NOC gateway are not connected by an OOB backbone—that is, connectivity is provided over an IP backbone (i.e. NIPRNet)—and an IGP is used to advertise routes within the management network, the IGP traffic must be encapsulated via GRE so that it can traverse the IPsec tunnel. The configuration below is an example of GRE over IPSec. The IPSec policy is applied to the GRE traffic that will encapsulate IGP packets (notice the EIGRP network statement includes the GRE tunnel; hence, EIGRP will form adjacencies with neighbors on the other side of this tunnel. Premise Router Configuration crypto isakmp policy 10 authentication pre-share crypto isakmp key ourkey address 166.4.24.3 ! crypto ipsec transform-set VPN-trans esp-3des esp-md5-hmac ! crypto map vpnmap 10 ipsec-isakmp set peer 166.4.24.3 set transform-set VPN-trans match address 102 ! interface Ethernet1 ip address 10.1.1.1 255.255.255.0 ! interface Serial1/0 ip address 141.22.4.3 255.255.255.252 ! interface Tunnel0 ip address 10.10.255.1 255.255.255.252 ip mtu 1400 tunnel source Serial0/0 tunnel destination 166.4.24.3 crypto map vpnmap ! router eigrp 100 network 10.0.0.0 0.0.0.255 no auto-summary ! ip route 0.0.0.0 0.0.0.0 141.22.4.1 ! access-list 102 permit gre host 141.22.4.3 host 166.4.24.3 OOBM VPN Gateway Configuration crypto isakmp policy 10 authentication pre-share crypto isakmp key ourkey address 141.22.4.3 ! crypto ipsectransform-set VPN-trans esp-3des esp-md5-hmac ! crypto map vpnmap 10 ipsec-isakmp set peer 141.22.4.3 set transform-set VPN-trans match address 102 ! interface Ethernet1 ip address 10.1.2.1 255.255.255.0 ! interface Serial1/0 ip address 166.4.24.3 255.255.255.252 ! interface Tunnel0 ip address 10.10.255.2 255.255.255.252 ip mtu 1400 tunnel source Serial0/0 tunnel destination 141.22.4.3 crypto map vpnmap ! router eigrp 100 network 10.0.0.0 0.0.0.255 no auto-summary ! ip route 0.0.0.0 0.0.0.0 166.4.24.1 ! access-list 102 permit gre host 166.4.24.3 host 141.22.4.3

Check Text ( C-20142r1_chk )

Verify that the OOBM interface is an adjacency only in the IGP routing domain for the management network. The following would be an example where EIGRP is run on the management network 10.0.0.0 and OSPF in the managed network 172.20.0.0. The network 10.1.20.0/24 is the OOBM backbone and 10.1.1.0 is the local management LAN connecting to the OOBM interfaces of the managed network (i.e., the private and service network) elements.

interface Serial0/0
description to_OOBM_Backbone
ip address 10.1.20.3 255.255.255.0
interface Fastethernet 0/0
description Enclave_Management_LAN
ip address 10.1.1.1 255.255.255.0
interface Fastethernet 0/1
description to_our_PrivateNet
ip address 172.20.4.2 255.255.255.0
interface Fastethernet 0/2
description to_our_ServiceNet
ip address 172.20.5.2 255.255.255.0
!
router ospf 1
network 172.20.0.0
!
router eigrp 12
network 10.0.0.0
passive-interface Fastethernet 0/1

Note: the passive-interface command is configured to avoid building an EIGRP adjacency with a managed router, while at the same time, enabling EIGRP to advertise the enclave’s management subnet to the EIGRP neighbors of the management network backbone.

If the non-dedicated OOBM gateway and the NOC gateway are not connected by an OOB backbone—that is, connectivity is provided over an IP backbone (i.e. NIPRNet)—and an IGP is used to advertise routes within the management network, the IGP traffic must be encapsulated via GRE so that it can traverse the IPsec tunnel. The configuration below is an example of GRE over IPSec. The IPSec policy is applied to the GRE traffic that will encapsulate IGP packets (notice the EIGRP network statement includes the GRE tunnel; hence, EIGRP will form adjacencies with neighbors on the other side of this tunnel.

Premise Router Configuration
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ourkey address 166.4.24.3
!
crypto ipsec transform-set VPN-trans esp-3des esp-md5-hmac
!
crypto map vpnmap 10 ipsec-isakmp
set peer 166.4.24.3
set transform-set VPN-trans
match address 102
!
interface Ethernet1
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
ip address 141.22.4.3 255.255.255.252
!
interface Tunnel0
ip address 10.10.255.1 255.255.255.252
ip mtu 1400
tunnel source Serial0/0
tunnel destination 166.4.24.3
crypto map vpnmap
!
router eigrp 100
network 10.0.0.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 141.22.4.1
!
access-list 102 permit gre host 141.22.4.3 host 166.4.24.3

OOBM VPN Gateway Configuration

crypto isakmp policy 10
authentication pre-share
crypto isakmp key ourkey address 141.22.4.3
!
crypto ipsectransform-set VPN-trans esp-3des esp-md5-hmac
!
crypto map vpnmap 10 ipsec-isakmp
set peer 141.22.4.3
set transform-set VPN-trans
match address 102
!
interface Ethernet1
ip address 10.1.2.1 255.255.255.0
!
interface Serial1/0
ip address 166.4.24.3 255.255.255.252
!
interface Tunnel0
ip address 10.10.255.2 255.255.255.252
ip mtu 1400
tunnel source Serial0/0
tunnel destination 141.22.4.3
crypto map vpnmap
!
router eigrp 100
network 10.0.0.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 166.4.24.1
!
access-list 102 permit gre host 166.4.24.3 host 141.22.4.3

Fix Text (F-17730r1_fix)
Ensure that multiple IGP instances configured on the OOBM gateway router peer only with their appropriate routing domain. Verify that the all interfaces are configured for the appropriate IGP instance.