The network device must route all management traffic through a dedicated management interface for purposes of access control and auditing.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000198-NDM-000148	SRG-NET-000198-NDM-000148	SRG-NET-000198-NDM-000148_rule		Medium

Description
Although the network device is not responsible for routing all network management traffic to the management network, it must route all outgoing communications through the out-of-band management interface. If management traffic is allowed onto the user network segments, privileged information may be intercepted by non-privileged users which could lead to the compromise of network devices. The network device is installed in stealth mode with one interface installed on the management network. This interface is used for communications with the network device and other network devices. If in-band management is required because of mission requirements, a dedicated IP address for the remote management client, as well as traffic encryption is required.

Description

Although the network device is not responsible for routing all network management traffic to the management network, it must route all outgoing communications through the out-of-band management interface. If management traffic is allowed onto the user network segments, privileged information may be intercepted by non-privileged users which could lead to the compromise of network devices. The network device is installed in stealth mode with one interface installed on the management network. This interface is used for communications with the network device and other network devices. If in-band management is required because of mission requirements, a dedicated IP address for the remote management client, as well as traffic encryption is required.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000198-NDM-000148_chk )
Verify the out-of-band management interface on the network device is configured with an IP address from the address space belonging to the out-of-band management network. After determining which interface is connected to the out-of-band management access switch, review the managed device configuration. Verify the interface has been assigned an address from the local management address block. If management traffic is not directed through a dedicated management interface for purposes of access control and auditing, this is a finding.

Check Text ( C-SRG-NET-000198-NDM-000148_chk )

Verify the out-of-band management interface on the network device is configured with an IP address from the address space belonging to the out-of-band management network.
After determining which interface is connected to the out-of-band management access switch, review the managed device configuration.
Verify the interface has been assigned an address from the local management address block.

If management traffic is not directed through a dedicated management interface for purposes of access control and auditing, this is a finding.

Fix Text (F-SRG-NET-000198-NDM-000148_fix)
Configure the network device's out-of-band management interface with an IP address from the address space belonging to the out-of-band management network.