Traffic from the managed network is able to access the OOBM gateway router

From Infrastructure L3 Switch Secure Technical Implementation Guide - Cisco

Part of Managed network has access to OOBM gateway router

SV-19301r2_rule Traffic from the managed network is able to access the OOBM gateway router

Vulnerability discussion

If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. It is imperative that hosts from the managed network are not able to access the OOBM gateway router.

Check content

Review the ACL or filters for the router’s receive path and verify that only traffic sourced from the management network is allowed to access the router. This would include both management and control plane traffic. Step 1: Verify that the global ip receive acl statement has been configured as shown in the following example: ip receive acl 199 Note: The IOS IP Receive ACL feature provides filtering capability for traffic that is destined for the router. The IP Receive ACL filtering occurs after any input ACL bound to the ingress interface. On distributed platforms (i.e., 12000 series), the IP receive ACL filters traffic on the distributed line cards before packets are received by the route processor; thereby preventing the flood from degrading the performance of the route processor. Step 2: Determine the address block of the management network at the NOC. In the example configuration below, the 10.2.2.0/24 is the management network at the NOC. Step 3: Verify that the ACL referenced by the ip receive acl statement restricts all management plane traffic to the validated network management address block at the NOC. Management traffic can include telnet, SSH, SNMP, TACACS, RADIUS, TFTP, FTP, and ICMP. Control plane traffic from OOBM backbone neighbors should also be allowed to access the router. The ACL configuration should look similar to the following: access-list 199 deny ip any any fragments access-list 199 permit ospf 10.1.20.0 0.0.0.255 any access-list 199 permit tcp 10.2.2.0 0.0.0.255 any eq ssh access-list 199 permit udp host 10.2.2.24 any eq snmp access-list 199 permit udp host 10.2.2.25 any eq snmp access-list 199 permit udp host 10.2.2.26 any eq ntp access-list 199 permit udp host 10.2.2.27 any eq ntp access-list 199 permit tcp host 10.2.2.30 eq tacacs any gt 1023 established access-list 199 permit tcp host 10.2.2.77 eq ftp any gt 1023 established access-list 199 permit tcp host 10.2.2.77 gt 1024 any eq ftp-data access-list 199 permit icmp 10.2.2.0 0.0.0.255 any access-list 199 deny ip any any log In the example above, the OSPF neighbors would be adjacencies with the OOBM backbone network 10.1.20.0/24. If the platform does not support the receive path filter, then verify that all non-OOBM interfaces have an ingress ACL to restrict access to that interface address or any of the router’s loopback addresses to only traffic sourced from the management network. Exception would be to allow packets destined to these interfaces used for troubleshooting such as ping and traceroute.

Fix text

Ensure that traffic from the managed network is not able to access the OOBM gateway router using either receive path or interface ingress ACLs.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer