Detections
Analytics
CISC-RT-000450 - The Cisco router must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface - OOBM interface
Information
The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network.An OOBM interface does not forward transit traffic, thereby providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.
Solution
If the management interface is not a dedicated OOBM interface, it must be configured with both an ingress and egress ACL.Step 1: Configure an ingress ACL a shown in the example below.
RP/0/0/CPU0:R2(config)#Ipv4 access-list INGRESS_MANAGEMENT_ACL
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp any host 10.11.1.22 eq tacacs
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp any host 10.11.1.22 eq 22
RP/0/0/CPU0:R2(config-ipv4-acl)#permit udp any host 10.11.1.22 eq snmp
RP/0/0/CPU0:R2(config-ipv4-acl)#permit udp any host 10.11.1.22 eq snmptrap
RP/0/0/CPU0:R2(config-ipv4-acl)#permit udp any host 10.11.1.22 eq ntp
RP/0/0/CPU0:R2(config-ipv4-acl)#permit icmp any host 10.11.1.22
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip any any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#exit
Step 2: Configure an egress ACL a shown in the example below.
RP/0/0/CPU0:R2(config)#Ipv4 access-list EGRESS_MANAGEMENT_ACL
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip any any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#exit
Step 3: Apply the ACLs to the OOBM interfaces.
RP/0/0/CPU0:R2(config)#int MgmtEth0/0/CPU0/0
RP/0/0/CPU0:R2(config-if)#ipv4 access-group INGRESS_MANAGEMENT_ACL ingress
RP/0/0/CPU0:R2(config-if)#ipv4 access-group EGRESS_MANAGEMENT_ACL egress
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y23M10_STIG.zip
Item Details
Audit Name: DISA STIG Cisco IOS-XR Router RTR v2r4
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-7a., CAT|II, CCI|CCI-001097, Rule-ID|SV-216773r531087_rule, STIG-ID|CISC-RT-000450, STIG-Legacy|SV-105891, STIG-Legacy|V-96753, Vuln-ID|V-216773
Plugin: Cisco
Control ID: dffc4dd5b562b1252a1b435f26a2746d6427c1b7a7c3d7a842942d5b43dea002