STIGQter STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.

DISA Rule

SV-220453r622190_rule

Vulnerability Number

V-220453

Group Title

SRG-NET-000205-RTR-000012

Rule Version

CISC-RT-000450

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If the management interface is not a dedicated OOBM interface, it must be configured with both an ingress and egress ACL.

Step 1: Configure an ingress ACL as shown in the example below:

SW1(config)#ip access-list extended INGRESS_MANAGEMENT_ACL
SW1(config-ext-nacl)#permit tcp any host 10.11.1.22 eq tacacs
SW1(config-ext-nacl)#permit tcp any host 10.11.1.22 eq 22
SW1(config-ext-nacl)#permit udp any host 10.11.1.22 eq snmp
SW1(config-ext-nacl)#permit udp any host 10.11.1.22 eq snmptrap
SW1(config-ext-nacl)#permit udp any host 10.11.1.22 eq ntp
SW1(config-ext-nacl)#permit icmp any host 10.11.1.22
SW1(config-ext-nacl)#deny ip any any log-input
SW1(config-ext-nacl)#exit

Step 2: Configure an egress ACL as shown in the example below:

SW1(config)#ip access-list extended EGRESS_MANAGEMENT_ACL
SW1(config-ext-nacl)#deny ip any any log-input
SW1(config-ext-nacl)#exit

Step 3: Apply the ACLs to the OOBM interfaces.

SW1(config)#int g0/7
SW1(config-if)#ip access-group INGRESS_MANAGEMENT_ACL in
SW1(config-if)#ip access-group EGRESS_MANAGEMENT_ACL out

Check Contents

This requirement is only applicable where management access to the switch is via an OOBM interface, which is not a true OOBM interface.

Step 1: Verify that the managed interface has an inbound and outbound access control list (ACL) configured.

interface GigabitEthernet0/7
no switchport
description link to OOBM access switch
ip address 10.11.1.22 255.255.255.0
ip access-group INGRESS_MANAGEMENT_ACL in
ip access-group EGRESS_MANAGEMENT_ACL in

Step 2: Verify that the ingress ACL only allows management and ICMP traffic.

ip access-list extended INGRESS_MANAGEMENT_ACL
permit tcp any host 10.11.1.22 eq tacacs
permit tcp any host 10.11.1.22 eq 22
permit udp any host 10.11.1.22 eq snmp
permit udp any host 10.11.1.22 eq snmptrap
permit udp any host 10.11.1.22 eq ntp
permit icmp any host 10.11.1.22
deny ip any any log-input

Step 3: Verify that the egress ACL blocks any transit traffic.

ip access-list extended EGRESS_MANAGEMENT_ACL
deny ip any any log-input

Note: On Cisco switches, local generated packets are not inspected by outgoing interface access lists. Hence, the above configuration would drop any packets not generated by the switch, blocking any transit traffic.

If the switch does not restrict traffic that ingresses and egresses the management interface, this is a finding.

Vulnerability Number

V-220453

Documentable

False

Rule Version

CISC-RT-000450

Severity Override Guidance

This requirement is only applicable where management access to the switch is via an OOBM interface, which is not a true OOBM interface.

Step 1: Verify that the managed interface has an inbound and outbound access control list (ACL) configured.

interface GigabitEthernet0/7
no switchport
description link to OOBM access switch
ip address 10.11.1.22 255.255.255.0
ip access-group INGRESS_MANAGEMENT_ACL in
ip access-group EGRESS_MANAGEMENT_ACL in

Step 2: Verify that the ingress ACL only allows management and ICMP traffic.

ip access-list extended INGRESS_MANAGEMENT_ACL
permit tcp any host 10.11.1.22 eq tacacs
permit tcp any host 10.11.1.22 eq 22
permit udp any host 10.11.1.22 eq snmp
permit udp any host 10.11.1.22 eq snmptrap
permit udp any host 10.11.1.22 eq ntp
permit icmp any host 10.11.1.22
deny ip any any log-input

Step 3: Verify that the egress ACL blocks any transit traffic.

ip access-list extended EGRESS_MANAGEMENT_ACL
deny ip any any log-input

Note: On Cisco switches, local generated packets are not inspected by outgoing interface access lists. Hence, the above configuration would drop any packets not generated by the switch, blocking any transit traffic.

If the switch does not restrict traffic that ingresses and egresses the management interface, this is a finding.

Check Content Reference

M

Target Key

4065

Comments