UCF STIG Viewer Logo

The management interface is not configured with both an ingress and egress ACL.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17822 NET0992 SV-20208r1_rule Medium
Description
The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network
STIG Date
Perimeter Router Security Technical Implementation Guide Cisco 2018-11-28

Details

Check Text ( C-22338r1_chk )
Step 1: Verify that the managed interface has an inbound and outbound ACL configured as shown in the following example:

interface FastEthernet1/1
description Enclave_Management_LAN
ip address 10.1.1.22 255.255.255.0
ip access-group 100 in
ip access-group 101 out

Step 2: Verify that the ingress ACL blocks all transit traffic—that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. In the example the management network at the NOC is 10.2.2.0/24.

access-list 100 permit ip 10.2.2.0 0.0.0.255 host 10.1.1.22
access-list 100 deny ip any any log

Note that the destination used by any host within the management network to access the managed elements must be via the management interface. The loopback should not be a valid address since these prefixes would not be advertised into the management network IGP domain. This could only be possible if the managed network Elements: had an IGP adjacency with the managed network, which should not be the case.

Step 3: Verify that the egress ACL blocks any traffic not originated by the managed element

access-list 101 deny ip any any log

Cisco router-generated packets are not inspected by outgoing access-lists. Hence, the above configuration would simply drop any packets not generated by the router itself and allow all local traffic. To filter local traffic, IOS provides a feature called local policy routing, which enables the administrator to apply a route-map to any local router-generated traffic. To prohibit outgoing traffic from the local router to any destination other than the NOC, the a configuration such as the following could be used:

! Do not drop traffic destined to 10.2.2.0/24. Hence, do not include it in
! the local policy route map, but include all other destinations.
!
ip access-list extended BLOCK_INVALID_DEST
deny ip any 10.2.2.0 0.0.0.255
permit ip any any
!
route-map LOCAL_POLICY 10
match ip address BLOCK_INVALID_DEST
set interface Null 0
!
ip local policy route-map LOCAL_POLICY


Alternative Solution: The IOS Management Plane Protection Feature

Cisco introduced the Management Plane Protection (MPP) feature with IOS 12.4(6)T which allows any physical in-band interface to be dedicated for OOB management. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Management traffic is permitted to enter a device only through these management interfaces. All of the other in-band interfaces not enabled for MPP will automatically drop all ingress packets associated with any of the supported MPP protocols (FTP, HTTP, HTTPS, SCP, SSH, SNMP, Telnet, and TFTP). Hence, after MPP is enabled, no interfaces except management interfaces will accept network management traffic destined to the device. This feature also provides the capability to restrict which management protocols are allowed. This feature does not change the behavior of the console, auxiliary, and management Ethernet interfaces. The following configuration example depicts FastEthernet1/1 as being the designated management interface that will only allow ssh and snmp traffic.


control-plane host
management-interface FastEthernet1/1 allow ssh snmp
!
interface FastEthernet1/1
description Enclave_Management_LAN
ip address 10.1.1.22 255.255.255.0
Fix Text (F-17737r2_fix)
If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.