UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IDPS must allow in-band management sessions from authorized IP addresses within the internal trusted network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34486 SRG-NET-000019-IDPS-00020 SV-45264r1_rule Medium
Description
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment can acquire the device account and password information. Although in-band management sessions are not recommended, there may be operationally essential reasons for allowing this practice. When allowed, restricting in-band management to authorized IP addresses only, limits the sources of potential risks to approved systems. With intercepted information, an attacker could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.
STIG Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide 2012-11-19

Details

Check Text ( C-42611r1_chk )
Verify the IDPS is configured with an ACL which lists the allowed IP addresses from which management sessions are permitted.
Verify the ACL is set for deny-by-default for all management console connections not explicitly allowed.
Verify the allowed IP addresses are from the internal network.

If in-band management is allowed from IP addresses which are not explicitly identified, this is a finding.
Fix Text (F-38660r1_fix)
Configure the IDPS sensors to allow only in-band remote management connections.
Configure an ACL listing for allowed IP addresses for non-local management console access.
Configure the ACL for deny-by-default.