Title

The premise firewall (located behind the premise router) must block all outbound management traffic. (Cat II impact)

Discussion

The management network must still have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the managed network's premise equipment. If a firewall is located behind the premise router, all management traffic must be blocked at that point, with the exception of management traffic destined to premise equipment.

Check Content

Review the firewall configuration to verify that it is blocking all outbound management traffic. If the firewall is not blocking management network from leaking to outside networks, this is a finding.

Fix Text

With the exception of management traffic destined to perimeter equipment, configure a firewall located behind the premise router to block all outbound management traffic.

Additional Identifiers

Rule ID: SV-206707r855867_rule

Vulnerability ID: V-206707

Group Title: SRG-NET-000364

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.