The IDPS must allow in-band management sessions from authorized IP addresses within the internal trusted network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34486	SRG-NET-000019-IDPS-00020	SV-45264r1_rule		Medium

Description
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment can acquire the device account and password information. Although in-band management sessions are not recommended, there may be operationally essential reasons for allowing this practice. When allowed, restricting in-band management to authorized IP addresses only, limits the sources of potential risks to approved systems. With intercepted information, an attacker could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.

Description

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment can acquire the device account and password information. Although in-band management sessions are not recommended, there may be operationally essential reasons for allowing this practice. When allowed, restricting in-band management to authorized IP addresses only, limits the sources of potential risks to approved systems. With intercepted information, an attacker could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42611r1_chk )
Verify the IDPS is configured with an ACL which lists the allowed IP addresses from which management sessions are permitted. Verify the ACL is set for deny-by-default for all management console connections not explicitly allowed. Verify the allowed IP addresses are from the internal network. If in-band management is allowed from IP addresses which are not explicitly identified, this is a finding.

Check Text ( C-42611r1_chk )

Verify the IDPS is configured with an ACL which lists the allowed IP addresses from which management sessions are permitted.
Verify the ACL is set for deny-by-default for all management console connections not explicitly allowed.
Verify the allowed IP addresses are from the internal network.

If in-band management is allowed from IP addresses which are not explicitly identified, this is a finding.

Fix Text (F-38660r1_fix)
Configure the IDPS sensors to allow only in-band remote management connections. Configure an ACL listing for allowed IP addresses for non-local management console access. Configure the ACL for deny-by-default.