STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-221100r622190_rule
V-221100
SRG-NET-000205-RTR-000012
CISC-RT-000450
CAT II
10
If the management interface is not a dedicated OOBM interface, it must be configured with both an ingress and egress ACL.
Step 1: Configure an ingress ACL a shown in the example below:
SW1(config)#ip access-list INGRESS_MANAGEMENT_ACL
SW1(config-acl)# permit tcp any host 10.11.1.22 eq tacacs
SW1(config-acl)# permit tcp any host 10.11.1.22 eq 22
SW1(config-acl)# permit udp any host 10.11.1.22 eq snmp
SW1(config-acl)# permit udp any host 10.11.1.22 eq snmptrap
SW1(config-acl)# permit udp any host 10.11.1.22 eq ntp
SW1(config-acl)# permit icmp any host 10.11.1.22
SW1(config-acl)# deny ip any any log
SW1(config-acl)# exit
Step 2: Configure an egress ACL a shown in the example below:
SW1(config)# ip access-list EGRESS_MANAGEMENT_ACL
SW1(config-acl)# deny ip any any log
SW1(config-acl)# exit
Step 3: Apply the ACLs to the OOBM interfaces.
SW1(config)#int e2/7
SW1(config-if) ip access-group INGRESS_MANAGEMENT_ACL in
SW1(config-if) ip access-group EGRESS_MANAGEMENT_ACL out
This requirement is only applicable where management access to the switch is via an OOBM interface which is not a true OOBM interface.
Step 1: Verify that the managed interface has an inbound and outbound ACL configured.
interface Ethernet2/7
description link to OOBM access switch
no switchport
ip address 10.11.1.22 255.255.255.0
ip access-group INGRESS_MANAGEMENT_ACL in
ip access-group EGRESS_MANAGEMENT_ACL in
Step 2: Verify that the ingress ACL only allows management and ICMP traffic.
ip access-list INGRESS_MANAGEMENT_ACL
10 permit tcp any 10.11.1.22/32 eq tacacs
20 permit tcp any 10.11.1.22/32 eq 22
30 permit udp any 10.11.1.22/32 eq snmp
40 permit udp any 10.11.1.22/32 eq snmptrap
50 permit udp any 10.11.1.22/32 eq ntp
60 permit icmp any 10.11.1.22/32
70 deny ip any any log
Step 3: Verify that the egress ACL blocks any transit traffic.
ip access-list MGMT_TRAFFIC_ACL
10 deny ip any any log
Note: On Cisco switches, local generated packets are not inspected by outgoing interface access-lists. Hence, the above configuration would simply drop any packets not generated by the switch; hence, blocking any transit traffic.
If the switch does not restrict traffic that ingresses and egresses the management interface, this is a finding.
V-221100
False
CISC-RT-000450
This requirement is only applicable where management access to the switch is via an OOBM interface which is not a true OOBM interface.
Step 1: Verify that the managed interface has an inbound and outbound ACL configured.
interface Ethernet2/7
description link to OOBM access switch
no switchport
ip address 10.11.1.22 255.255.255.0
ip access-group INGRESS_MANAGEMENT_ACL in
ip access-group EGRESS_MANAGEMENT_ACL in
Step 2: Verify that the ingress ACL only allows management and ICMP traffic.
ip access-list INGRESS_MANAGEMENT_ACL
10 permit tcp any 10.11.1.22/32 eq tacacs
20 permit tcp any 10.11.1.22/32 eq 22
30 permit udp any 10.11.1.22/32 eq snmp
40 permit udp any 10.11.1.22/32 eq snmptrap
50 permit udp any 10.11.1.22/32 eq ntp
60 permit icmp any 10.11.1.22/32
70 deny ip any any log
Step 3: Verify that the egress ACL blocks any transit traffic.
ip access-list MGMT_TRAFFIC_ACL
10 deny ip any any log
Note: On Cisco switches, local generated packets are not inspected by outgoing interface access-lists. Hence, the above configuration would simply drop any packets not generated by the switch; hence, blocking any transit traffic.
If the switch does not restrict traffic that ingresses and egresses the management interface, this is a finding.
M
4075