1.2.1 Restrict Access to VTY Sessions

Information

Restrict Management Access to trusted management stations and VLANs.

Exposing the management interface too broadly exposes that interface to MiTM (Monkey in the Middle) attacks as well as to credential stuffing attacks. The question "should your receptionist have access to your core switch?" usually illustrates the need for this if there are any disagreements.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Create an access-list that defines the various trusted subnets and/or stations:

switch(config)# ip access-list ACL-MGT
switch(config-acl)# remark access-class ACL
switch(config-acl)# permit ip 192.168.12.0/24 any
switch(config-acl)# deny ip any any log

It is suggested that all ACLs are commented to help self-document the configuration.

The last line in the ACL should read deny ip any any log to record all attempts to reach the management interface from unauthorized stations.

Apply the Access-Class to the VTY interface:

switch(config)# line vty
switch(config-line)# access-class ACL-MGT in

Impact:

Not restricting access to the management interface has several risks:

- exposes your interface to credential stuffing attacks from commodity malware (such as Mirai)
- highlights your device as missing simple security remediations to even simple scans. This invites other attacks in addition to credential stuffing.

See Also

https://workbench.cisecurity.org/benchmarks/16139

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, MAINTENANCE, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-17(3), 800-53|CM-7, 800-53|MA-4, 800-53|SI-7, CSCv7|11.6, CSCv7|11.7

Plugin: Cisco

Control ID: e413a6d482ddf8c17674f5bb7ffae29306b5f13b05ee8d13ee100ebfac44f1e4