Rule ID
SV-269770r1051695_rule
Version
V1R1
CCIs
CCI-001368, CCI-004192
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy. Satisfies: SRG-APP-000038-NDM-000213, SRG-APP-000880-NDM-000290
Review the OS10 Switch configuration to verify that administrative access to the switch is allowed only from hosts residing in the management network. Step 1: Examine the interface configuration for the control plane ACLs applied to the traffic destined to the router control plane from the OOBM port or front panel data ports: ! control-plane ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in ip access-group MGMT_TRAFFIC_FROM_DATA data in Step 2: Review the control plane ACLs to verify traffic is limited appropriately. For example, to restrict the management traffic access to a switch at address 192.168.105.17 to only a subset of the 192.168.105.0 subnet, check for an ACL list such as the following: ! ip access-list MGMT_TRAFFIC_FROM_OOBM seq 10 permit ip 192.168.105.0/28 192.168.105.17/32 seq 20 deny ip any 192.168.105.17/32 log Likewise, to restrict the management traffic arriving to a switch address 10.20.30.1 on the front panel data ports: ! ip access-list MGMT_TRAFFIC_FROM_DATA seq 10 permit ip 10.20.30.0/24 10.20.31.1/32 seq 20 deny ip any 10.20.31.1 log If the OS10 Switch is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.
Configure the OS10 Switch to restrict management access to specific IP addresses as shown in the example below. Step 1: Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM port and from the front panel data ports: OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM OS10(config-ipv4-acl)# seq 10 permit ip 192.168.105.0/28 192.168.105.17/32 OS10(config-ipv4-acl)# seq 20 deny ip any 192.168.105.17/32 log OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA OS10(config-ipv4-acl)# seq 10 permit ip 10.20.30.0/24 10.20.31.1/32 OS10(config-ipv4-acl)# seq 20 deny ip any 10.20.31.1 log Step 2: Apply the ACLs to the ingress of the control-plane: OS10(config)# control-plane OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in