The network device must be configured with both an ingress and egress ACL.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-243187 | WLAN-ND-001800 | SV-243187r879887_rule | CCI-000345 | medium |
| Description | ||||
| Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters. | ||||
| STIG | Date | |||
| Network WLAN Bridge Management Security Technical Implementation Guide | 2023-09-13 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-5
1.00
- DISA · V7R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.5
1.00
- DISA · V7R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000345
1.00
- DISA · V7R2 · disa_xccdf · related
Details
Check Text (C-243187r879887_chk)
1. Verify the managed interface has an inbound and outbound ACL or filter.
2. Verify the ingress ACL blocks all transit traffic (any traffic not destined to the router itself). In addition, traffic accessing the managed elements should be originated at the NOC.
3. Verify the egress ACL blocks any traffic not originated by the managed element.
If the management interface does not have an ingress and egress filter configured and applied, this is a finding.
Fix Text (F-46419r720015_fix)
If the management interface is a routed interface, configure it with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.