Title

Switch Administration terminals do not connect directly to the switch administration port or connect via a controlled, dedicated, out of band network used for switch administration support. (Cat II impact)

Discussion

Requirement: The IAO will ensure that switch/device administration terminals are connected directly to the administration port of the switch/device or are connected via an out-of-band network used only for administration support. > Switch administration terminals must connect to the switch by using either a direct connection to the administration port or through a dedicated, out of band network. Connections other than these, for example through a non-dedicated network connection, will introduce security risks. > The requirement to dedicate OAM&P / NM and CTI networks or LANS is to protect the particular solution from threats from sources external to the solution. Connecting these dedicated LANs to another LAN negates this protection.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix Text

Ensure that the connections used are through either a dedicated out of band network or direct connection to the administration port. Any other connections to administration terminals should be disconnected and their use should be discontinued.

Additional Identifiers

Rule ID: SV-8419r1_rule

Vulnerability ID: V-7933

Group Title: Admin terms not on a segregated connection

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.