Check: CISR-RT-000009
Cisco ISR 4000 Series RTR STIG:
CISR-RT-000009
(in version v1 r1)
Title
The Cisco ISR 4000 Series router must enforce that Interior Gateway Protocol instances configured on the out-of-band management gateway router only peer with their own routing domain. (Cat II impact)
Discussion
If the gateway router is not a dedicated device for the out-of-band management network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate Interior Gateway Protocol routing instances is critical on the router to segregate traffic from each network.
Check Content
Verify that the OOBM interface is an adjacency only in the IGP routing domain for the management network. The following would be an example where EIGRP is run on the management network 10.0.0.0 and OSPF in the managed network 172.20.0.0. The network 10.1.20.0/24 is the OOBM backbone and 10.1.1.0 is the local management LAN connecting to the OOBM interfaces of the managed network (i.e., the private and service network) elements. interface Serial0/0 description to_OOBM_Backbone ip address 10.1.20.3 255.255.255.0 ! interface FastEthernet 0/0 description Enclave_Management_LAN ip address 10.1.1.1 255.255.255.0 ! interface FastEthernet 0/1 description to_our_PrivateNet ip address 172.20.4.2 255.255.255.0 ! interface FastEthernet 0/2 description to_our_ServiceNet ip address 172.20.5.2 255.255.255.0 ! router ospf 1 network 172.20.0.0 ! router eigrp 12 network 10.0.0.0 If the OOBM interface is not an adjacency only in the IGP routing domain for the management network, this is a finding.
Fix Text
Ensure that multiple IGP instances configured on the OOBM gateway router peer only with their appropriate routing domain. Verify that the all interfaces are configured for the appropriate IGP instance.
Additional Identifiers
Rule ID:
Vulnerability ID: V-74113
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |