Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-17842 | NET1617 | SV-19117r1_rule | EBRP-1 | Low |
Description |
---|
A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access. |
STIG | Date |
---|---|
Network Devices Security Technical Implementation Guide | 2018-02-27 |
Check Text ( C-19326r1_chk ) |
---|
Review the configuration of the communications server. The following example configuration would enable a secured call back on a Cisco network access server: interface s0/1 physical-layer async ip address 192.168.8.1 255.255.255.252 encapsulation ppp async mode dedicated ppp authentication chap ppp callback accept dialer callback-secure dialer map ip 192.168.8.2 name Dean class dial-back-admin 1112223333 dialer map ip 192.168.8.3 name Dana class dial-back-admin 1113334444 ! map-class dialer dial-back-admin dialer callback-server username dialer hold-queue timeout 60 The call-back numbers used for each authorized user must be defined within the communications server local database or the AAA server. In the example above, the username identifies the return call by looking up the authenticated host name in a dialer map command. Do not allow the client to supply the callback number such as, pre-configuring a null dial string for an authorized dial-up user in the access server database or the AAA. An alternative to the communication server and AAA server implementation is an integrated solution that includes the following: 1. a secured modem using FIPS 140-2 compliant encryption for the connection 2. an integrated RSA Secure ID server for 2-factor authentication 3. OOB connectivity to the managed device via console port access granted after the administrator has been authenticated |
Fix Text (F-17774r1_fix) |
---|
The communications server must be configured to accept a callback request. In addition, it must be configured in a secured mode so that it will not callback an unauthorized user. |