An error occurred:

Check: RCKS-L2S-000300

RUCKUS ICX Layer 2 Switch STIG: RCKS-L2S-000300 (in version v1 r1)

Title

The RUCKUS ICX switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. (Cat II impact)

Discussion

Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions. Satisfies: SRG-NET-000715-L2S-000120, SRG-NET-000760-L2S-000160

Check Content

Review the RUCKUS ICX switch configuration. Router# Show Vlans PORT-VLAN 5, Name Organization_A, Priority level0, in single spanning tree domain Untagged Ports: None 2 Tagged Ports: (U1/M1) 4 6 8 10 12 14 Mac-Vlan Ports: None Monitoring: Disabled PORT-VLAN 10, Name Organization_B, Priority level0, in single spanning tree domain Untagged Ports: None 20 21 22 Tagged Ports: (U1/M1) 1 3 5 7 9 11 Mac-Vlan Ports: None Monitoring: Disabled PORT-VLAN 12, Name IP_Phone, Priority level0, in single spanning tree domain Untagged Ports: None Tagged Ports: (U1/M1) 30 31 32 33 34 35 Mac-Vlan Ports: None Monitoring: Disabled If the RUCKUS ICX switch is not configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions, this is a finding.

Fix Text

Configure the layer 2 switch to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. 1. Add appropriate VLAN by name. device# configure terminal Router(config)#vlan 5 Name Organization_A Router(config)#vlan 10 Name Organization_B Router(config)#vlan 10 Name IP_Phone 2. Add untagged Ports for the specific ports to the VLANs as needed. Router(config-vlan-5)#untag ethernet 1/1/2 3. Add tagged ports. Router(config-vlan-5)#tag ethernet 1/1/4 4. Save the configuration. Router(config-vlan-5)#write memory

Additional Identifiers

Rule ID: SV-273696r1110998_rule

Vulnerability ID: V-273696

Group Title: SRG-NET-000715-L2S-000120

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-004891

Implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
CCI-004931

Establish organization-defined alternate communications paths for system operations organizational command and control.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check