Management traffic is not restricted to only the authorized management packets based on destination and source IP address.

From Firewall Security Technical Implementation Guide

Part of Management traffic is not restricted

SV-19320r1_rule Management traffic is not restricted to only the authorized management packets based on destination and source IP address.

Vulnerability discussion

The Out-of-Band Management (OOBM) network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network element enabling network management traffic to flow between the managed NEs and the NOC. This allows the use of paths separate from those used by the network being managed. Traffic from the managed network to the management network and vice-versa must be secured via IPSec encapsulation.

Check content

Where IPSec technology is deployed to connect the OOBM gateway routers or firewall, the traffic entering the tunnels must be restricted to only the authorized management packets based on destination and source IP address from the address block used for the management network. Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation. In the configuration examples, 10.2.2.0/24 is the management network at the NOC and 10.1.1.0/24 is the management address block used at the network being managed (i.e., the enclave). When the AS PIC receives traffic on the inside interface associated with a service set, the AS PIC applies the configured Layer 3 services and then forwards the packet back to the router through the outside interface. Likewise, when the AS PIC receives traffic on the outside interface associated with a service set, it forwards the packet back to the router through the inside interface after applying the configured Layer 3 services. hostname VPN-Gateway1 ! interface Ethernet0/0 nameif Outside security-level 0 ip address 19.16.1.254 255.255.255.252 ! interface Ethernet0/1 nameif Inside security-level 100 ip address 10.1.1.1 255.255.255.0 ! isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map Outside_map ipsec-isakmp crypto map Outside_map 20 match address 101 crypto map Outside_map 20 set peer 19.16.2.254 crypto map Outside_map 20 set transform-set ESP-3DES-SHA crypto map Outside_map interface Outside ! isakmp key ***** 19.16.2.254 netmask 255.255.255.255 isakmp enable Outside ! access-list 101 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 sysopt connection permit-ipsec Note: Access lists can be defined for PIX/ASA using the familiar IOS software ACL format. However, one important difference exists between the PIX/ASA and IOS ACL formats: PIXs use real subnet masks (a 1 bit matches, and a 0 bit ignores), whereas IOS platforms use a wildcard mask (a 0 bit matches, and a 1 bit ignores).

Fix text

Configure filters based on source and destination IP address to restrict only authorized management traffic into IPSec tunnels used for transiting management data.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer