Information
For all management profiles, only the IP addresses required for device management should be specified.
Rationale:
If a Permitted IP Addresses list is either not specified or is too broad, an attacker may gain the ability to attempt management access from unintended locations, such as the Internet. The 'Ensure 'Security Policy' denying any/all traffic exists at the bottom of the security policies ruleset' recommendation in this benchmark can provide additional protection by requiring a security policy specifically allowing device management access.
Solution
Navigate to Network > Network Profiles > Interface Management.
In each profile, for each of the target protocols (SNMP, HTTPS, SSH), set Permitted IP Addresses to only include those necessary for device management. If no profile exists, create one that has these options set.
Default Value:
Not enabled
Item Details
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT
References: 800-53|AC-2(1), 800-53|AC-3, 800-53|AC-18, 800-53|AC-18(1), 800-53|AC-18(3), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, CSCv7|11.6, CSCv7|11.7
Control ID: e3f0b7a905c34e32230d5989c442fe85ebef34d31603f30ca131887b1753e72f