An error occurred:

Check: RCKS-RTR-000790

RUCKUS ICX Router STIG: RCKS-RTR-000790 (in version v1 r1)

Title

The RUCKUS ICX perimeter router must be configured to block all outbound management traffic. (Cat II impact)

Discussion

For in-band management, the management network must have its own subnet to enforce control and access boundaries provided by layer 3 network nodes, such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure the management traffic does not leak past the perimeter of the managed network.

Check Content

This requirement is not applicable for the DODIN Backbone. The perimeter router of the managed network must be configured with an access control list (ACL) or filter on the egress interface to block all management traffic. Verify all external interfaces have been configured with an outbound ACL as shown in the example below: EXTERNAL_ACL_OUTBOUND: 5 entries 10: deny tcp any any eq radius 20: deny tcp any any eq sshow log 30: deny tcp any any eq snmp log 40: deny udp any any eq syslog log 50: deny ip any any log interface ethernet x/x/x ip access-group EXTERNAL_ACL_OUTBOUND out logging enable If management traffic is not blocked at the perimeter, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone. Configure the perimeter router of the managed network with an ACL or filter on the egress interface to block all outbound management traffic. Configure an ACL to block egress management traffic, as shown in the example below: ICX(config)#ip access-list extended EXTERNAL_ACL_OUTBOUND ICX(config-ext-ipacl-EXTERNAL_ACL_OUTBOUND)#deny tcp any any eq radius log ICX(config-ext-ipacl-EXTERNAL_ACL_OUTBOUND)#deny tcp any any eq sshow log ICX(config-ext-ipacl-EXTERNAL_ACL_OUTBOUND)#deny udp any any eq snmp log ICX(config-ext-ipacl-EXTERNAL_ACL_OUTBOUND)#deny udp any any eq syslog log ICX(config-ext-ipacl-EXTERNAL_ACL_OUTBOUND)#deny ip any any log ICX(config-ext-ipacl-EXTERNAL_ACL_OUTBOUND)#exit Configure the external interfaces with the outbound ACL, as shown in the example below: ICX(config)#interface ethernet x/x/x ICX(Config-if-e10000-x/x/x)#ip access-group EXTERNAL_ACL_OUTBOUND out logging enable

Additional Identifiers

Rule ID: SV-273646r1111039_rule

Vulnerability ID: V-273646

Group Title: SRG-NET-000364-RTR-000113

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002403

Only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7(11)

Restrict Incoming Communications Traffic