STIGQter: STIG Summary: Cisco IOS Switch NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.

DISA Rule

SV-220575r538991_rule

Vulnerability Number

V-220575

Group Title

SRG-APP-000038-NDM-000213

Rule Version

CISC-ND-000140

Severity

CAT II

CCI(s)

• CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the Cisco switch to restrict management access to specific IP addresses via SSH as shown in the example below:

SW2(config)#ip access-list standard MANAGEMENT_NET
SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255
SW2(config-std-nacl)#exit
SW2(config)#line vty 0 4
SW2(config-line)#transport input ssh
SW2(config-line)#access-class MANAGEMENT_NET in
SW2(config-line)#end

Check Contents

Review the Cisco switch configuration to verify that administrative access to the switch is allowed only from hosts residing in the management network.

Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below:

line vty 0 4
access-class MANAGEMENT_NET in
transport input ssh

Step 2: Verify that the ACL permits only hosts from the management network to access the switch.

iip access-list extended MANAGEMENT_NET
permit ip x.x.x.0 0.0.0.255 any
deny ip any any log-input

If the Cisco switch is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.

Vulnerability Number

V-220575

Documentable

False

Rule Version

CISC-ND-000140

Severity Override Guidance

Review the Cisco switch configuration to verify that administrative access to the switch is allowed only from hosts residing in the management network.

Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below:

line vty 0 4
access-class MANAGEMENT_NET in
transport input ssh

Step 2: Verify that the ACL permits only hosts from the management network to access the switch.

iip access-list extended MANAGEMENT_NET
permit ip x.x.x.0 0.0.0.255 any
deny ip any any log-input

If the Cisco switch is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.

Check Content Reference

M

Target Key

4069

Comments