The communications server is not configured accept a callback request or in a secured mode so that it will not callback an unauthorized user.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17842	NET1617	SV-19117r1_rule	EBRP-1	Low

Description
A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.

Description

A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.

STIG	Date
Network Devices Security Technical Implementation Guide	2018-11-27

Details

Check Text ( C-19326r1_chk )
Review the configuration of the communications server. The following example configuration would enable a secured call back on a Cisco network access server: interface s0/1 physical-layer async ip address 192.168.8.1 255.255.255.252 encapsulation ppp async mode dedicated ppp authentication chap ppp callback accept dialer callback-secure dialer map ip 192.168.8.2 name Dean class dial-back-admin 1112223333 dialer map ip 192.168.8.3 name Dana class dial-back-admin 1113334444 ! map-class dialer dial-back-admin dialer callback-server username dialer hold-queue timeout 60 The call-back numbers used for each authorized user must be defined within the communications server local database or the AAA server. In the example above, the username identifies the return call by looking up the authenticated host name in a dialer map command. Do not allow the client to supply the callback number such as, pre-configuring a null dial string for an authorized dial-up user in the access server database or the AAA. An alternative to the communication server and AAA server implementation is an integrated solution that includes the following: 1. a secured modem using FIPS 140-2 compliant encryption for the connection 2. an integrated RSA Secure ID server for 2-factor authentication 3. OOB connectivity to the managed device via console port access granted after the administrator has been authenticated

Check Text ( C-19326r1_chk )

Review the configuration of the communications server. The following example configuration would enable a secured call back on a Cisco network access server:

interface s0/1
physical-layer async
ip address 192.168.8.1 255.255.255.252
encapsulation ppp
async mode dedicated
ppp authentication chap
ppp callback accept
dialer callback-secure
dialer map ip 192.168.8.2 name Dean class dial-back-admin 1112223333
dialer map ip 192.168.8.3 name Dana class dial-back-admin 1113334444
!
map-class dialer dial-back-admin
dialer callback-server username
dialer hold-queue timeout 60

The call-back numbers used for each authorized user must be defined within the communications server local database or the AAA server. In the example above, the username identifies the return call by looking up the authenticated host name in a dialer map command. Do not allow the client to supply the callback number such as, pre-configuring a null dial string for an authorized dial-up user in the access server database or the AAA.

An alternative to the communication server and AAA server implementation is an integrated solution that includes the following:

1. a secured modem using FIPS 140-2 compliant encryption for the connection
2. an integrated RSA Secure ID server for 2-factor authentication
3. OOB connectivity to the managed device via console port access granted after the administrator has been authenticated

Fix Text (F-17774r1_fix)
The communications server must be configured to accept a callback request. In addition, it must be configured in a secured mode so that it will not callback an unauthorized user.