Title

The Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies. (Cat II impact)

Discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems. In Cisco ACI, the administrator uses "contracts" to define security policies that control traffic between different endpoint groups (EPGs), essentially acting as a more granular and flexible ACL mechanism by specifying source and destination addresses, ports, and protocols based on the desired network segmentation needs. Add multiple filter rules to create a comprehensive set of allowed traffic patterns. Satisfies: SRG-NET-000019-RTR-000005, SRG-NET-000715-RTR-000120

Check Content

Review the switch configuration to verify that contracts are configured. 1. To check contract configuration, navigate to Tenants >> {{Your_Tenant}} >> Contracts >> Standard (whitelist)/Taboos (blacklist) >> {{Your_Contract}} >> {{your_subject}}. 2. To check the configuration for the Provider and Consumer of the contract, navigate to Tenants >> {{Your_Tenant}} >> Application Profiles >> {{ your_Application_Profile}} >> Application EPGs >> {{Your_EPG}} >> Contracts. If the switch is not configured to use contract filters to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.

Fix Text

Configure "contracts" to define security policies that control traffic between different EPGs. Contract subjects must combine filters that will designate what traffic is allowed to pass through the contract, but for the contract to work it must be applied where the Provider contract is attached to the service side and the Consumer is attached to the user side. Traffic must be initiated from the Consumer EPG to the Provider EPG, including filters and security policies. 1. Configure the details of each contract. Navigate to Tenants >> {{Your_Tenant}} >> Contracts >> Standard (whitelist)/Taboos (blacklist) >> {{Your_Contract}} >> {{your_subject}}. 2. Configure the details of each Provider and Consumer of the contract. Navigate to Tenants >> {{Your_Tenant}} >> Application Profiles >> {{ your_Application_Profile}} >> Application EPGs >> {{Your_EPG}} >> Contracts.

Additional Identifiers

Rule ID: SV-272061r1168386_rule

Vulnerability ID: V-272061

Group Title: SRG-NET-000018-RTR-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.