NET1001 - A firewall located behind the premise router must be configured to block all outbound management traffic. - 'step 1 egress group'

Information

The management network must still have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the managed network's premise equipment. It there is a firewall located behind the premise router, then all management traffic should be blocked at that point-with the exception of management traffic destined to premise equipment.

NOTE: Access lists can be defined for PIX/ASA using the familiar IOS software ACL format. However, one important difference exists between the PIX/ASA and IOS ACL formats: PIXs use real subnet masks (a 1 bit matches, and a 0 bit ignores), whereas IOS platforms use a wildcard mask (a 0 bit matches, and a 1 bit ignores).

Solution

With the exception of management traffic destined to perimeter equipment, a firewall located behind the premise router must be configured to block all outbound management traffic.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Firewall_V8R25_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15), CAT|II, Rule-ID|SV-19084r2_rule, STIG-ID|NET1001, Vuln-ID|V-17830

Plugin: Cisco

Control ID: 04eaf9135651c0ea4ad321cc4eea20744084e2b1ff8f5837d73cfbd9953bf479