CISC-RT-000410 - The Cisco out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

Information

The OOBM network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network device, enabling network management traffic to flow between the managed network elements and the NOC. This allows the use of paths separate from those used by the managed network.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This requirement is not applicable for the DODIN Backbone.

Configure ACLs to permit only authorized management traffic into IPsec tunnels or the OOBM interface used for forwarding management data as shown in the examples below.

OOBM Link

RP/0/0/CPU0:R3(config)#ipv4 access-list MGMT_TRAFFIC_ACL
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq tacacs
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq ssh
RP/0/0/CPU0:R3(config-ipv4-acl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp
RP/0/0/CPU0:R3(config-ipv4-acl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmptrap
RP/0/0/CPU0:R3(config-ipv4-acl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq syslog
RP/0/0/CPU0:R3(config-ipv4-acl)#permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255
RP/0/0/CPU0:R3(config-ipv4-acl)#deny ipv4 any any log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#exit

IPsec Tunnel

RP/0/0/CPU0:R3(config)#ipv4 access-list MGMT_TRAFFIC_ACL
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq tacacs
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq ssh
RP/0/0/CPU0:R3(config-ipv4-acl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp
RP/0/0/CPU0:R3(config-ipv4-acl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmptrap
RP/0/0/CPU0:R3(config-ipv4-acl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq syslog
RP/0/0/CPU0:R3(config-ipv4-acl)#permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255
RP/0/0/CPU0:R3(config-ipv4-acl)#exit

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7a., CAT|II, CCI|CCI-001097, Rule-ID|SV-216769r531087_rule, STIG-ID|CISC-RT-000410, STIG-Legacy|SV-105883, STIG-Legacy|V-96745, Vuln-ID|V-216769

Plugin: Cisco

Control ID: f1dccf2304840f27d3874933fe12ba85ed09112a4222df353d00c39a854b02a2