An error occurred:

Check: CACI-ND-000005

Cisco ACI NDM STIG: CACI-ND-000005 (in version v1 r0.1)

Title

The Cisco ACI must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. (Cat I impact)

Discussion

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. By default, Cisco ACI only exposes two ports from the outside: - HTTPS (TCP 443) for GUI access and REST API access, on both the APIC and switches. - SSH (TCP 22) for CLI access, on both the APIC and switches. Cisco ACI enables Link Layer Discovery Protocol (LLDP) by default to support zero-touch fabric provisioning. DOD sites may keep LLDP enabled on trusted interfaces for loop prevention and VMM integration. Sites must disable LLDP on interfaces facing untrusted networks. Cisco ACI is designed not to run nonrequired services by default, as well as to limit remote management services or protocols that are active by default. Hence, there is no action required from an administrator standpoint to disable them. If any other protocol is required, such as SNMP, administrators must explicitly configure it.

Check Content

From APIC GUI: 1. Navigate to Fabric >> Fabric Policies >> Pod >> Management Access. 2. Fabric >> Fabric Policies >> Pod Policies >> Management Access. Verify insecure or unnecessary ports/protocols, services, and ciphers are disabled. This is the default. If the Cisco ACI is configured to listen or run unnecessary and/or nonsecure functions, ports, protocols, and/or services, this is a finding.

Fix Text

From APIC GUI: 1. Navigate to Fabric >> Fabric Policies >> Pod >> Management Access. 2. Fabric >> Fabric Policies >> Pod Policies >> Management Access. Disable insecure or unnecessary ports/protocols, services, and ciphers that have been enabled, such as HTTP, FTP, unauthorized TLS versions, and TELNET.

Additional Identifiers

Rule ID: SV-271920r1067358_rule

Vulnerability ID: V-271920

Group Title: SRG-APP-000142-NDM-000245

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000382

Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-7

Least Functionality