The Cisco IOS XE router must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol that is utilized on that management interface.

From Cisco IOS XE Release 3 RTR Security Technical Implementation Guide

Part of SRG-NET-000019-RTR-000014

Associated with: CCI-001414

SV-88791r2_rule The Cisco IOS XE router must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol that is utilized on that management interface.

Vulnerability discussion

The out-of-band management access switch will connect to the management interface of the managed network elements. The management interface can be a true out-of-band management interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will directly connect to the out-of-band management network.An out-of-band management interface does not forward transit traffic, thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an out-of-band management port, the interface functioning as the management interface must be configured so that management traffic, both data plane and control plane, does not leak into the managed network and that production traffic does not leak into the management network.

Check content

Review the configuration of the Cisco IOS XE router to verify the management interface is configured as passive for the Interior Gateway Protocol instance for the managed network. The configuration would look similar to the following example: router ospf 1 area 1 authentication message-digest passive-interface GigabitEthernet0/0 network 200.30.3.0 0.0.0.255 area 1 If the management interface is not configured as passive for the Interior Gateway Protocol instance for the managed network, this is a finding.

Fix text

Configure the management interface of the Cisco IOS XE router as passive for the Interior Gateway Protocol instance configured for the managed network. The configuration will look similar to the example below: outer ospf 1 area 1 authentication message-digest passive-interface GigabitEthernet0/0 network 200.30.3.0 0.0.0.255 area 1

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer