Title

The RUCKUS ICX out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC). (Cat II impact)

Discussion

The OOBM network is an IP network used exclusively for the transport of operations, administration, maintenance, and provisioning (OAM&P) data from the network being managed to the operations support system (OSS) components located at the NOC. Its design provides connectivity to each managed network device, enabling network management traffic to flow between the managed network elements and the NOC. This allows the use of paths separate from those used by the managed network.

Check Content

This requirement is not applicable for the DODIN Backbone. Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path the management traffic traverses. Verify only management traffic is forwarded through the OOBM interface or IPsec tunnel. If an OOBM link is used, verify the only authorized management traffic is transported to the NOC by reviewing the outbound ACL applied to the OOBM interface as shown in the example below: 1. Note the outbound ACL applied to the OOBM interface. interface ethernet 1/1/1 port-name OOBM-to-NOC ip access-group MGMT_TRAFFIC_ACL out logging enable ! 2. Review the outbound ACL and verify only management traffic is forwarded to the NOC. ip access-list extended MGMT_TRAFFIC_ACL sequence 10 permit tcp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq radius sequence 20 permit tcp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq ssh sequence 30 permit udp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp sequence 40 permit udp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq shell sequence 50 permit icmp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 sequence 60 deny ip any any log ! If traffic other than authorized management traffic is permitted through the OOBM interface, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone. Configure filters based on port, source IP address, and destination IP address to permit only authorized management traffic into IPsec tunnels or the OOBM interface used for forwarding management data. 1. Configure ACLs. ICX(config)#ip access-list ext MGMT_TRAFFIC_ACL ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit tcp x.1.34.0/24 10.22.2.0/24 eq radius ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit tcp x.1.34.0/24 10.22.2.0/24 eq ssh ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit udp x.1.34.0/24 10.22.2.0/24 eq snmp ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit udp x.1.34.0/24 10.22.2.0/24 eq snmp-t ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit udp x.1.34.0/24 10.22.2.0/24 eq syslog ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit icmp x.1.34.0/24 10.22.2.0/24 ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#deny ip any any log 2. Apply the ACL to the appropriate interface(s). ICX(config)#interface ethernet 1/1/1 ICX(config-if-e10000-1/1/1)#ip access-group MGMT_TRAFFIC_ACL out logging enable

Additional Identifiers

Rule ID: SV-273614r1110925_rule

Vulnerability ID: V-273614

Group Title: SRG-NET-000205-RTR-000010

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.