Title

The Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies. (Cat II impact)

Discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems. In Cisco ACI, the administrator uses "contracts" to define security policies that control traffic between different endpoint groups (EPGs), essentially acting as a more granular and flexible ACL mechanism by specifying source and destination addresses, ports, and protocols based on the desired network segmentation needs. Add multiple filter rules to create a comprehensive set of allowed traffic patterns.

Check Content

Review the switch configuration to verify that ACLs are configured to allow or deny traffic for specific source and destination addresses as well as ports and protocols. For example, the configuration below will allow web traffic (HTTP) from the "WebServer" EPG to the "Database" EPG. tenant TENANT1 context Application filter WEB_TRAFFIC_FILTER filter ip permit source <web_server_ip_range> destination <database_ip_range> protocol tcp port 80 contract WEBACCESS filter WEB_TRAFFIC_FILTER epg WebServer contract WEBACCESS epg Database contract WEBACCESS If the switch is not configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.

Fix Text

Configure "contracts" to define security policies that control traffic between different EPGs. Step 1: Navigate to the desired tenant and context to create filters. apic(config)# tenant <tenant_name> context <context_name> filter <filter_name> filter ip permit source <source_IP_range> destination <dest_IP_range> protocol <protocol> port <port_number> Step 2: Create or update an existing contract. Link the previously created filter to a named contract. apic(config)# contract <contract_name> filter <filter_name> Step 3: Assign contract to EPGs. Associate the created contract with the specific EPGs. apic(config)# epg <epg_name> contract <contract_name>

Additional Identifiers

Rule ID: SV-272061r1064575_rule

Vulnerability ID: V-272061

Group Title: SRG-NET-000018-RTR-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.