The network element must have HTTP service for administrative access disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3085	NET0740	SV-41467r1_rule	ECSC-1	Medium

Description
The additional services that the router is enabled for increases the risk for an attack since the router will listen for these services. In addition, these services provide an unsecured method for an attacker to gain access to the router. Most recent software versions support remote configuration and monitoring using the World Wide Web's HTTP protocol. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a clear-text password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet. Any additional services that are enabled increase the risk for an attack since the router will listen for these services.

Description

The additional services that the router is enabled for increases the risk for an attack since the router will listen for these services. In addition, these services provide an unsecured method for an attacker to gain access to the router. Most recent software versions support remote configuration and monitoring using the World Wide Web's HTTP protocol. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a clear-text password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet. Any additional services that are enabled increase the risk for an attack since the router will listen for these services.

STIG	Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco	2015-04-06

Details

Check Text ( C-39966r2_chk )
Verify that the command "ip http-server" is not defined in the configuration. As of 12.4, the http server is still disabled by default. However, since many defaults are not shown by IOS, you may not see the command "no ip http-server" in the configuration depending on the release.

Fix Text (F-3110r4_fix)
Configure the device to disable using HTTP (port 80) for administrative access.