The Nokia router must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283762 | NOKI-ND-000110 | SV-283762r1203331_rule | CCI-001368 | medium |
| Description | ||||
| A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283762r1203331_chk)
Verify at least one IPv4, IPv6, or MAC for management-access-filter or cpm-filter is configured to control the flow of management information within the Nokia router.
Verify entries meet the approved authorization for controlling the flow of management information, as shown in the examples below:
- show system security management-access-filter ip-filter
- show system security management-access-filter ipv6-filter
- show system security management-access-filter mac-filter
- show system security cpm-filter ip-filter
- show system security cpm-filter ipv6-filter
- show system security cpm-filter mac-filter
If at least one of these filters is not configured to enforce the approved authorizations, this is a finding.
Fix Text (F-88232r1203330_fix)
Each of the management-access-filters and cpm-filters supports the IPv4 filter (ip-filter), IPv6 filter, and MAC filters. Configure each filter using the examples below:
Configure the entry match criteria based on IPv4, IPv6, or MAC match criteria.
Example of management-access-filter ipv4 filter configuration:
- configure system security management-access-filter ip-filter
- default-action <permit | deny| deny-host-unreachable>
- entry <entry id>
- <match criteria> <match value>
- action <permit | deny| deny-host-unreachable>
Enable the management access ip filter:
- configure system security management-access-filter ip-filter no shutdown
Example of management-access-filter ipv6 filter configuration:
- configure system security management-access-filter ipv6-filter
- default-action <permit | deny| deny-host-unreachable>
- entry <entry id>
- <match criteria> <match value>
- action <permit | deny| deny-host-unreachable>
Enable the management access ipv6 filter:
- configure system security management-access-filter ipv6-filter no shutdown
Example of cpm ipv6 filter configuration:
- configure system security cpm-filter ipv6-filter
- entry <id> create
- match <match criteria> <match value>
- action <action>
Enable the cpm ipv6 filter:
- configure system security cpm-filter ipv6-filter no shutdown
Example of cpm ipv4 filter configuration:
- configure system security cpm-filter ip-filter
- entry <id> create
- match <match criteria> <match value>
- action <action>
Enable the cpm ipv4 filter:
- configure system security cpm-filter ip-filter no shutdown