STIGQter: STIG Summary: Cisco NX-OS Switch NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.

DISA Rule

SV-220479r648769_rule

Vulnerability Number

V-220479

Group Title

SRG-APP-000038-NDM-000213

Rule Version

CISC-ND-000140

Severity

CAT II

CCI(s)

• CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the Cisco switch to restrict management access to specific IP addresses as shown in the example below:

SW1(config)# ip access-list MGMT_NET
SW1(config-acl)# permit ip 10.1.48.0/24 any
SW1(config-acl)# deny ip any any log
SW1(config-acl)# exit
SW1(config)# line vty
SW1(config-line)# access-class MGMT_NET in
SW1(config-acl)# end


NX-OS v8 and later example

SW1(config)# ip access-list MGMT_NET
SW1(config-acl)# permit ip 10.1.48.0/24 any
SW1(config-acl)# deny ip any any log
SW1(config-acl)# exit
SW1(config)# interface mgmt0
SW1(config-if)# ip access-group MGMT_NET in
SW1(config-acl)# end

Check Contents

Review the Cisco switch configuration to verify that it is compliant with this requirement.

Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below:

line vty
access-class MGMT_NET in

Step 2: Verify that the ACL permits only hosts from the management network to access the switch.

ip access-list MGMT_NET
10 permit ip 10.1.48.0/24 any
20 deny ip any any log


NX-OS v8 and later example
Step 1: Verify that an ACL has been applied to the management interface inbound as shown in the example below:

interface mgmt0
ip access-group MGMT_NET in

Step 2: Verify that the ACL permits only hosts from the management network to access the switch.

ip access-list MGMT_NET
10 permit ip 10.1.48.0/24 any
20 deny ip any any log


If the Cisco switch is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.

Vulnerability Number

V-220479

Documentable

False

Rule Version

CISC-ND-000140

Severity Override Guidance

Review the Cisco switch configuration to verify that it is compliant with this requirement.

Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below:

line vty
access-class MGMT_NET in

Step 2: Verify that the ACL permits only hosts from the management network to access the switch.

ip access-list MGMT_NET
10 permit ip 10.1.48.0/24 any
20 deny ip any any log


NX-OS v8 and later example
Step 1: Verify that an ACL has been applied to the management interface inbound as shown in the example below:

interface mgmt0
ip access-group MGMT_NET in

Step 2: Verify that the ACL permits only hosts from the management network to access the switch.

ip access-list MGMT_NET
10 permit ip 10.1.48.0/24 any
20 deny ip any any log


If the Cisco switch is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.

Check Content Reference

M

Target Key

4066

Comments