STIGQter STIGQter: STIG Summary: Infrastructure Router Security Technical Implementation Guide Cisco Version: 8 Release: 29 Benchmark Date: 25 Jan 2019: Traffic from the managed network is able to access the OOBM gateway router

DISA Rule

SV-19301r2_rule

Vulnerability Number

V-17817

Group Title

Managed network has access to OOBM gateway router

Rule Version

NET0987

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure that traffic from the managed network is not able to access the OOBM gateway router using either receive path or interface ingress ACLs.

Check Contents

Review the ACL or filters for the router’s receive path and verify that only traffic sourced from the management network is allowed to access the router. This would include both management and control plane traffic.

Step 1: Verify that the global ip receive acl statement has been configured as shown in the following example:

ip receive acl 199

Note: The IOS IP Receive ACL feature provides filtering capability for traffic that is destined for the router. The IP Receive ACL filtering occurs after any input ACL bound to the ingress interface. On distributed platforms (i.e., 12000 series), the IP receive ACL filters traffic on the distributed line cards before packets are received by the route processor; thereby preventing the flood from degrading the performance of the route processor.

Step 2: Determine the address block of the management network at the NOC. In the example configuration below, the 10.2.2.0/24 is the management network at the NOC.

Step 3: Verify that the ACL referenced by the ip receive acl statement restricts all management plane traffic to the validated network management address block at the NOC. Management traffic can include telnet, SSH, SNMP, TACACS, RADIUS, TFTP, FTP, and ICMP. Control plane traffic from OOBM backbone neighbors should also be allowed to access the router. The ACL configuration should look similar to the following:

access-list 199 deny ip any any fragments
access-list 199 permit ospf 10.1.20.0 0.0.0.255 any
access-list 199 permit tcp 10.2.2.0 0.0.0.255 any eq ssh
access-list 199 permit udp host 10.2.2.24 any eq snmp
access-list 199 permit udp host 10.2.2.25 any eq snmp
access-list 199 permit udp host 10.2.2.26 any eq ntp
access-list 199 permit udp host 10.2.2.27 any eq ntp
access-list 199 permit tcp host 10.2.2.30 eq tacacs any gt 1023 established
access-list 199 permit tcp host 10.2.2.77 eq ftp any gt 1023 established
access-list 199 permit tcp host 10.2.2.77 gt 1024 any eq ftp-data
access-list 199 permit icmp 10.2.2.0 0.0.0.255 any
access-list 199 deny ip any any log

In the example above, the OSPF neighbors would be adjacencies with the OOBM backbone network 10.1.20.0/24.

If the platform does not support the receive path filter, then verify that all non-OOBM interfaces have an ingress ACL to restrict access to that interface address or any of the router’s loopback addresses to only traffic sourced from the management network. Exception would be to allow packets destined to these interfaces used for troubleshooting such as ping and traceroute.

Vulnerability Number

V-17817

Documentable

False

Rule Version

NET0987

Severity Override Guidance

Review the ACL or filters for the router’s receive path and verify that only traffic sourced from the management network is allowed to access the router. This would include both management and control plane traffic.

Step 1: Verify that the global ip receive acl statement has been configured as shown in the following example:

ip receive acl 199

Note: The IOS IP Receive ACL feature provides filtering capability for traffic that is destined for the router. The IP Receive ACL filtering occurs after any input ACL bound to the ingress interface. On distributed platforms (i.e., 12000 series), the IP receive ACL filters traffic on the distributed line cards before packets are received by the route processor; thereby preventing the flood from degrading the performance of the route processor.

Step 2: Determine the address block of the management network at the NOC. In the example configuration below, the 10.2.2.0/24 is the management network at the NOC.

Step 3: Verify that the ACL referenced by the ip receive acl statement restricts all management plane traffic to the validated network management address block at the NOC. Management traffic can include telnet, SSH, SNMP, TACACS, RADIUS, TFTP, FTP, and ICMP. Control plane traffic from OOBM backbone neighbors should also be allowed to access the router. The ACL configuration should look similar to the following:

access-list 199 deny ip any any fragments
access-list 199 permit ospf 10.1.20.0 0.0.0.255 any
access-list 199 permit tcp 10.2.2.0 0.0.0.255 any eq ssh
access-list 199 permit udp host 10.2.2.24 any eq snmp
access-list 199 permit udp host 10.2.2.25 any eq snmp
access-list 199 permit udp host 10.2.2.26 any eq ntp
access-list 199 permit udp host 10.2.2.27 any eq ntp
access-list 199 permit tcp host 10.2.2.30 eq tacacs any gt 1023 established
access-list 199 permit tcp host 10.2.2.77 eq ftp any gt 1023 established
access-list 199 permit tcp host 10.2.2.77 gt 1024 any eq ftp-data
access-list 199 permit icmp 10.2.2.0 0.0.0.255 any
access-list 199 deny ip any any log

In the example above, the OSPF neighbors would be adjacencies with the OOBM backbone network 10.1.20.0/24.

If the platform does not support the receive path filter, then verify that all non-OOBM interfaces have an ingress ACL to restrict access to that interface address or any of the router’s loopback addresses to only traffic sourced from the management network. Exception would be to allow packets destined to these interfaces used for troubleshooting such as ping and traceroute.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

510

Comments