The network elements management interface must be configured with both an ingress and egress ACL.

From Firewall Security Technical Implementation Guide - Cisco

Part of The management interface does not have an ACL.

SV-19333r2_rule The network elements management interface must be configured with both an ingress and egress ACL.

Vulnerability discussion

The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network.An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so management traffic does not leak into the managed network and production traffic does not leak into the management network.

Check content

Determine which interface is used as the management interface and verify that it has a higher security level than the external or DMZ interface. interface Ethernet0/2 nameif Management security-level 90 ip address 10.1.1.23 255.255.255.0 management-only interface GigabitEthernet0 nameif outside security-level 0 ip address 172.20.2.1 255.255.255.0 interface GigabitEthernet1 nameif inside security-level 100 ip address 192.168.1.0 255.255.255.0 By default, traffic from an interface with a lower security level can’t egress an interface with a higher security level. Traffic is allowed to flow from a higher-security interface to a lower-security interface. Hence, if the interface to the managed network is at a higher security level, traffic originated from this network could leak into the management network. Verify that there is an ACL bound to the management network interface to ensure traffic from a higher security level interface such as the private network (i.e. 192.168.1.0/24) is blocked. access-group TO_MGMTNET in interface Management access-list TO_MGMTNET deny ip 192.168.1.0 255.255.255.0 any Note: Access lists can be defined for PIX/ASA using the familiar IOS software ACL format. However, one important difference exists between the PIX/ASA and IOS ACL formats: PIXs use real subnet masks (a 1 bit matches, and a 0 bit ignores), whereas IOS platforms use a wildcard mask (a 0 bit matches, and a 1 bit ignores).

Fix text

If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer