Management traffic is not restricted to only the authorized management packets based on destination and source IP address.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17754	NET1807	SV-19322r1_rule	ECNK-1	Medium

Description
The Out-of-Band Management (OOBM) network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network element enabling network management traffic to flow between the managed NEs and the NOC. This allows the use of paths separate from those used by the network being managed. Traffic from the managed network to the management network and vice-versa must be secured via IPSec encapsulation.

Description

The Out-of-Band Management (OOBM) network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network element enabling network management traffic to flow between the managed NEs and the NOC. This allows the use of paths separate from those used by the network being managed. Traffic from the managed network to the management network and vice-versa must be secured via IPSec encapsulation.

STIG	Date
Infrastructure Router Security Technical Implementation Guide Juniper	2013-10-08

Details

Check Text ( C-20303r1_chk )
Where IPSec technology is deployed to connect the OOBM gateway routers or firewall, the traffic entering the tunnels must be restricted to only the authorized management packets based on destination and source IP address from the address block used for the management network. Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation. In the configuration examples, 10.2.2.0/24 is the management network at the NOC and 10.1.1.0/24 is the management address block used at the network being managed (i.e., the enclave). Example from a show services command with Juniper M or T series router with Adaptive Services PIC using next-hop style is as follows: service-set vpn-to-NOC { next-hop-service { inside-service-interface sp-0/0/0.1; outside-service-interface sp-0/0/0.2; } ipsec-vpn-options { local-gateway 19.16.1.1; } ipsec-vpn-rules site-to-NOC; } ipsec-vpn { rule site-to-NOC { term mgmt-traffic { source-address { 10.1.1.0/24; } destination-address { 10.2.2.0/24; } } then remote-gateway 19.16.2.1; dynamic { ike-policy main_mode_ike_policy; ipsec-policy dynamic_ipsec_policy; } } } match-direction input; } ipsec { proposal esp_sha1_ipsec_prop { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } policy dynamic_ipsec_policy { perfect-forward-secrecy { keys group2; } proposals esp_sha1_ipsec_prop; } } ike { proposal psk_sha1_3des_ike_prop { authentication-method pre-shared-keys; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } policy main_mode_ike_policy { mode main; proposals psk_sha1_3des_ike_prop; pre-shared-key ascii-text “$7#$AAtBRmNOjH”; ##SECRET-DATA } } } Note: Juniper recommends implementing all Layer 3 services with the next-hop-style service set as opposed to the interface-style. When you configure next-hop-style service sets, you associate them with specific inside and outside logical interfaces. These logical interfaces are units you configure on an AS PIC’s sp- interface as illustrated below: interfaces { sp-0/0/0 { unit 0 { family inet; } unit 1 { description "IPSec Tunnel Inside Service Interface"; family inet; service-domain inside; } unit 2 { description "IPSec Tunnel Outside Service Interface"; family inet; service-domain outside; } } … … } The router must be configured to match the traffic that is to be secured in the outbound direction. For next-hop service sets, this is the input direction as configured via match-direction input command as shown above under the services ipsec-vpn hierarchy. You configure the router to route traffic to the inside or outside interface as shown in the following example: routing-options { static { route 10.2.2.0/24 next-hop sp-0/0/0.1; } }

Check Text ( C-20303r1_chk )

Where IPSec technology is deployed to connect the OOBM gateway routers or firewall, the traffic entering the tunnels must be restricted to only the authorized management packets based on destination and source IP address from the address block used for the management network. Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation. In the configuration examples, 10.2.2.0/24 is the management network at the NOC and 10.1.1.0/24 is the management address block used at the network being managed (i.e., the enclave).

Example from a show services command with Juniper M or T series router with Adaptive Services PIC using next-hop style is as follows:

service-set vpn-to-NOC {
next-hop-service {
inside-service-interface sp-0/0/0.1;
outside-service-interface sp-0/0/0.2;
}
ipsec-vpn-options {
local-gateway 19.16.1.1;
}
ipsec-vpn-rules site-to-NOC;
}
ipsec-vpn {
rule site-to-NOC {
term mgmt-traffic {
source-address {
10.1.1.0/24;
}
destination-address {
10.2.2.0/24;
}
}
then
remote-gateway 19.16.2.1;
dynamic {
ike-policy main_mode_ike_policy;
ipsec-policy dynamic_ipsec_policy;
}
}
}
match-direction input;
}
ipsec {
proposal esp_sha1_ipsec_prop {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy dynamic_ipsec_policy {
perfect-forward-secrecy {
keys group2;
}
proposals esp_sha1_ipsec_prop;
}
}
ike {
proposal psk_sha1_3des_ike_prop {
authentication-method pre-shared-keys;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy main_mode_ike_policy {
mode main;
proposals psk_sha1_3des_ike_prop;
pre-shared-key ascii-text “$7#$AAtBRmNOjH”; ##SECRET-DATA
}
}
}

Note: Juniper recommends implementing all Layer 3 services with the next-hop-style service set as opposed to the interface-style. When you configure next-hop-style service sets, you associate them with specific inside and outside logical interfaces. These logical interfaces are units you configure on an AS PIC’s sp- interface as illustrated below:

interfaces {
sp-0/0/0 {
unit 0 {
family inet;
}
unit 1 {
description "IPSec Tunnel Inside Service Interface";
family inet;
service-domain inside;
}
unit 2 {
description "IPSec Tunnel Outside Service Interface";
family inet;
service-domain outside;
}
}
…
…
}

The router must be configured to match the traffic that is to be secured in the outbound direction. For next-hop service sets, this is the input direction as configured via match-direction input command as shown above under the services ipsec-vpn hierarchy. You configure the router to route traffic to the inside or outside interface as shown in the following example:

routing-options {
static {
route 10.2.2.0/24 next-hop sp-0/0/0.1;
}
}

Fix Text (F-17652r1_fix)
Where IPSec technology is deployed to connect the OOBM gateway routers or firewall, traffic entering the tunnels is restricted to only the authorized management packets based on destination and source IP address from the address block used for the management network.