Detections
Analytics
CISC-RT-000400 - The Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
Information
Using dedicated paths, the OOBM backbone connects the OOBM gateway routers located at the edge of the managed network and at the NOC. Dedicated links can be deployed using provisioned circuits or MPLS Layer 2 and Layer 3 VPN services or implementing a secured path with gateway-to-gateway IPsec tunnels. The tunnel mode ensures that the management traffic will be logically separated from any other traffic traversing the same path.NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
This requirement is not applicable for the DODIN Backbone.Ensure that a dedicated circuit, MPLS/VPN service, or IPsec tunnel is deployed to transport management traffic between the managed network and the NOC. If an IPsec tunnel is to be used, the steps below can be used as a guideline.
Step 1: Configure the ACL for the management network as the destination. This ACL will be defined in the crypto as the interesting traffic to be forwarded into the IPsec tunnel.
RP/0/0/CPU0:R3(config)#Ipv4 access-list MGMT_TRAFFIC_ACL
RP/0/0/CPU0:R3(config-ipv4-acl)#permit ip 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255
Step 2: Create an ISAKMP policy for Phase 1 negotiations.
RP/0/0/CPU0:R3(config)#crypto isakmp policy 10
RP/0/0/CPU0:R3(config-isakmp-policy)#authentication pre-share
RP/0/0/CPU0:R3(config-isakmp-policy)#hash sha256
RP/0/0/CPU0:R3(config-isakmp-policy)#encryption aes 256
RP/0/0/CPU0:R3(config-isakmp-policy)#exit
Step 3: Configure the keyring to be used for ISAKMP to authenticate the remote side during IKE negotiation.
RP/0/0/CPU0:R3(config)#crypto isakmp keyring ISAKMP_KEYRING
RP/0/0/CPU0:R3(config-crypto-keyring)#pre-shared-key address 255.255.255.255 key xxxxx
RP/0/0/CPU0:R3(config-crypto-keyring)#exit
Step 4: Configure the IPsec transform set.
RP/0/0/CPU0:R3(config)#crypto ipsec transform-set IPSEC_TRANS esp-aes 256 esp-sha256-hmac
RP/0/0/CPU0:R3(config-transform-set IPSEC_TRANS)#mode tunnel
Step 5: Configure the IPsec profile.
RP/0/0/CPU0:R3(config)#crypto ipsec profile IPSEC_NOC_PROFILE
RP/0/0/CPU0:R3(config- IPSEC_NOC_PROFILE)#set pfs group 16
RP/0/0/CPU0:R3(config- IPSEC_NOC_PROFILE)#match MGMT_TRAFFIC_ACL transform-set IPSEC_TRANS
RP/0/0/CPU0:R3(config- IPSEC_NOC_PROFILE)#exit
Step 6: Configure the IPsec virtual interface.
RP/0/0/CPU0:R3(config)#interface tunnel-ipsec 22
RP/0/0/CPU0:R3(config-if)#profile IPSEC_NOC_PROFILE
RP/0/0/CPU0:R3(config-if)#tunnel source GigabitEthernet0/0/0/2
RP/0/0/CPU0:R3(config-if)#tunnel destination x.1.22.2
RP/0/0/CPU0:R3(config-if)#end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y24M07_STIG.zip
Item Details
Audit Name: DISA STIG Cisco IOS-XR Router RTR v3r1
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-7a., CAT|II, CCI|CCI-001097, CCI|CCI-004891, Rule-ID|SV-216768r991934_rule, STIG-ID|CISC-RT-000400, STIG-Legacy|SV-105881, STIG-Legacy|V-96743, Vuln-ID|V-216768
Plugin: Cisco
Control ID: a788500cc12f7b0edbf26d8ed4045fdbe192de3548bd7597dbbede5836ab30cc