1.2.2 Restrict Access to VTY Sessions - line vty access-class

Information

Restrict Management Access to trusted management stations and VLANs.

Rationale:

Exposing the management interface too broadly exposes that interface to MiTM (Monkey in the Middle) attacks as well as to credential stuffing attacks. The question 'should your receptionist have access to your core switch?' usually illustrates the need for this if there are any disagreements.

Impact:

Not restricting access to the management interface has several risks:

exposes your interface to credential stuffing attacks from commodity malware (such as Mirai)

highlights your device as missing simple security remediations to even simple scans. This invites other attacks in addition to credential stuffing.

Solution

Create an access-list that defines the various trusted subnets and/or stations:

switch(config)# ip access-list ACL-MGT
switch(config-acl)# remark access-class ACL
switch(config-acl)# permit ip 192.168.12.0/24 any
switch(config-acl)# deny ip any any log

It is suggested that all ACLs are commented to help self-document the configuration.
The last line in the ACL should read deny ip any any log to record all attempts to reach the management interface from unauthorized stations.
Apply the Access-Class to the VTY interface:

switch(config)# line vty
switch(config-line)# access-class ACL-MGT in

Default Value:

No access-class is applied by default

See Also

https://workbench.cisecurity.org/files/3102

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-3, 800-53|SC-7(15), CSCv7|11.6, CSCv7|11.7

Plugin: Cisco

Control ID: 4f9fe1a46fdcb309bed7abb3c65fb55025af03e2af385c045d10b520b1ab744c