The communications server is not configured accept a callback request or in a secured mode so that it will not callback an unauthorized user.

From Network Devices Security Technical Implementation Guide

Part of The comm server is not secured

Associated with IA controls: EBRP-1

SV-19117r1_rule The communications server is not configured accept a callback request or in a secured mode so that it will not callback an unauthorized user.

Vulnerability discussion

A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.

Check content

Review the configuration of the communications server. The following example configuration would enable a secured call back on a Cisco network access server: interface s0/1 physical-layer async ip address 192.168.8.1 255.255.255.252 encapsulation ppp async mode dedicated ppp authentication chap ppp callback accept dialer callback-secure dialer map ip 192.168.8.2 name Dean class dial-back-admin 1112223333 dialer map ip 192.168.8.3 name Dana class dial-back-admin 1113334444 ! map-class dialer dial-back-admin dialer callback-server username dialer hold-queue timeout 60 The call-back numbers used for each authorized user must be defined within the communications server local database or the AAA server. In the example above, the username identifies the return call by looking up the authenticated host name in a dialer map command. Do not allow the client to supply the callback number such as, pre-configuring a null dial string for an authorized dial-up user in the access server database or the AAA. An alternative to the communication server and AAA server implementation is an integrated solution that includes the following: 1. a secured modem using FIPS 140-2 compliant encryption for the connection 2. an integrated RSA Secure ID server for 2-factor authentication 3. OOB connectivity to the managed device via console port access granted after the administrator has been authenticated

Fix text

The communications server must be configured to accept a callback request. In addition, it must be configured in a secured mode so that it will not callback an unauthorized user.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer