IPSec tunnels used to transit management traffic must be restricted to only the authorized management packets based on destination and source IP address.

From Perimeter L3 Switch Security Technical Implementation Guide

Part of Management traffic is not restricted

SV-18945r2_rule IPSec tunnels used to transit management traffic must be restricted to only the authorized management packets based on destination and source IP address.

Vulnerability discussion

The Out-of-Band Management (OOBM) network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network device enabling network management traffic to flow between the managed NEs and the NOC. This allows the use of paths separate from those used by the network being managed. Traffic from the managed network to the management network and vice-versa must be secured via IPSec encapsulation.

Check content

Review the device configuration to determine if IPSec tunnels used in transiting management traffic are filtered to only accept authorized traffic based on source and destination IP addresses of the management network. If filters are not restricting only authorized management traffic into the IPSec tunnel, this is a finding.

Fix text

Configure filters based on source and destination IP address to restrict only authorized management traffic into IPSec tunnels used for transiting management data.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer