Check: SRG-NET-000364-RTR-000113
Router SRG:
SRG-NET-000364-RTR-000113
(in versions v4 r3 through v4 r1)
Title
The perimeter router must be configured to block all outbound management traffic. (Cat II impact)
Discussion
For in-band management, the management network must have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes, such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the perimeter of the managed network.
Check Content
This requirement is not applicable for the DoDIN Backbone. The perimeter router of the managed network must be configured with an access control list (ACL) or filter on the egress interface to block all management traffic. If management traffic is not blocked at the perimeter, this is a finding.
Fix Text
This requirement is not applicable for the DoDIN Backbone. Configure the perimeter router of the managed network with an ACL or filter on the egress interface to block all outbound management traffic.
Additional Identifiers
Rule ID: SV-207167r945857_rule
Vulnerability ID: V-207167
Group Title: SRG-NET-000364
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001097 |
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. |
| CCI-002403 |
The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. |