STIGQter: STIG Summary: Cisco IOS XE Switch NDM Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.

DISA Rule

SV-220523r539418_rule

Vulnerability Number

V-220523

Group Title

SRG-APP-000038-NDM-000213

Rule Version

CISC-ND-000140

Severity

CAT II

CCI(s)

• CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the Cisco switch to restrict management access to specific IP addresses via SSH as shown in the example below:

SW2(config)#ip access-list standard MANAGEMENT_NET
SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255
SW2(config-std-nacl)#exit
SW2(config)#line vty 0 4
SW2(config-line)#transport input ssh
SW2(config-line)#access-class MANAGEMENT_NET in
SW2(config-line)#end

Check Contents

Review the Cisco switch configuration to verify that it is compliant with this requirement. Administrative access to the switch must only be allowed from hosts residing in the management network.

Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below:

line vty 0 4
access-class MANAGEMENT_NET in
transport input ssh

Step 2: Verify that the ACL permits only hosts from the management network to access the switch.

ip access-list extended MANAGEMENT_NET
permit ip x.x.x.0 0.0.0.255 any
deny ip any any log-input


If the Cisco switch is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.

Vulnerability Number

V-220523

Documentable

False

Rule Version

CISC-ND-000140

Severity Override Guidance

Review the Cisco switch configuration to verify that it is compliant with this requirement. Administrative access to the switch must only be allowed from hosts residing in the management network.

Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below:

line vty 0 4
access-class MANAGEMENT_NET in
transport input ssh

Step 2: Verify that the ACL permits only hosts from the management network to access the switch.

ip access-list extended MANAGEMENT_NET
permit ip x.x.x.0 0.0.0.255 any
deny ip any any log-input


If the Cisco switch is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.

Check Content Reference

M

Target Key

4067

Comments