The Nokia router must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283768 | NOKI-ND-000330 | SV-283768r1203574_rule | CCI-000382 | high |
| Description | ||||
| To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, it must be documented and approved. | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283768r1203574_chk)
Verify the router does not have any unnecessary or nonsecure functions, ports, protocols, and services enabled.
For example, verify that Telnet and FTP are disabled:
- show system information | match Tel
Tel/Tel6/SSH/FTP Admin : Disabled/Disabled/Enabled/Disabled
Tel/Tel6/SSH/FTP Oper : Down/Down/Up/Down
Any other TCP/UDP port can be disallowed using CPM and/or management filters.
Verify nonsecure functions and services are disabled by using the command below:
- show system security management-access-filter ip-filter
- show system security management-access-filter ipv6-filter
- show system security cpm-filter ip-filter
- show system security cpm-filter ipv6-filter
If any unnecessary or nonsecure functions, ports, protocols, or services are permitted, this is a finding.
Fix Text (F-88238r1203573_fix)
Configure the Nokia router to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Disable FTP:
- configure system security no ftp-server
- configure system security no allow-ftp
Disable telnet:
- configure system security no telnet-server
- configure system security no allow-telnet
- configure system security no telnet6-server
- configure system security no allow-telnet6
Disable any other port/protocol using the management access filter:
- configure system security management-access-filter ip-filter
- default-action <permit | deny| deny-host-unreachable>
- entry <entry id>
- <match criteria> <match value>
- action <permit | deny| deny-host-unreachable>
Enable the management access ip filter:
- configure system security management-access-filter ip-filter no shutdown
Example of management-access-filter ipv6 filter configuration:
- configure system security management-access-filter ipv6-filter
- default-action <permit | deny| deny-host-unreachable>
- entry <entry id>
- <match criteria> <match value>
- action <permit | deny| deny-host-unreachable>
Enable the management access ipv6 filter:
- configure system security management-access-filter ipv6-filter no shutdown
Disable any other port/protocol using the CPM filter:
Example of cpm ipv6 filter configuration:
- configure system security cpm-filter ipv6-filter
- entry <id> create
- match <match criteria> <match value>
- action <action>
Enable the cpm ipv6 filter:
- configure system security cpm-filter ipv6-filter no shutdown
Example of cpm ipv4 filter configuration:
- configure system security cpm-filter ip-filter
- entry <id> create
- match <match criteria> <match value>
- action <action>
Enable the cpm ipv4 filter:
- configure system security cpm-filter ip-filter no shutdown
Example of ipv4 cpm filter to block HTTP:
- configure system security cpm-filter ip-filter
- entry 1 create
- match protocol tcp port 80
- action drop