The Nokia out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283848 | NOKI-RT-000300 | SV-283848r1203793_rule | CCI-001097 | medium |
| Description | ||||
| The OOBM network is an IP network used exclusively for the transport of Operations, Administration, Maintenance, and Provisioning (OAM&P) data from the network being managed to the Operational Support Systems (OSS) components located at the NOC. Its design provides connectivity to each managed network device, enabling network management traffic to flow between the managed network elements and the NOC. This allows the use of paths separate from those used by the managed network. | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Router Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283848r1203793_chk)
This requirement is not applicable for the DODIN Backbone.
Review the network topology diagram to determine connectivity between the managed network and the NOC.
Verify the management-access-filter, as shown in the example below:
- show system security management-access-filter ip-filter
IPv4 Management Access Filter
filter type : ip
Def. Action : permit
Admin Status : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry : 10
Description : SSH
Src-ip : 192.168.100.0/24
Mgmt-port : cpm
Protocol : tcp
Dst-port : 22
Src-port : undefined
Router-instance: undefined
Action : permit
Log : enabled
Matches : 0
-------------------------------------------------------------------------------
Entry : 20
Description : snmp
Src-ip : 192.168.100.0/24
Mgmt-port : cpm
Protocol : udp
Dst-port : 161
Src-port : undefined
Router-instance: undefined
Action : permit
Log : enabled
Matches : 0
-------------------------------------------------------------------------------
Entry : 30
Description : tacacs
Src-ip : 192.168.100.10/32
Mgmt-port : cpm
Protocol : tcp
Dst-port : 49
Src-port : undefined
Router-instance: undefined
Action : permit
Log : enabled
Matches : 0
-------------------------------------------------------------------------------
Entry : 50
Description : snmp-trap
Src-ip : 192.168.100.0/24
Mgmt-port : cpm
Protocol : udp
Dst-port : 162
Src-port : undefined
Router-instance: undefined
Action : permit
Log : enabled
Matches : 0
-------------------------------------------------------------------------------
Entry : 60
Description : syslog
Src-ip : 192.168.100.0/24
Mgmt-port : cpm
Protocol : udp
Dst-port : 514
Src-port : undefined
Router-instance: undefined
Action : permit
Log : enabled
Matches : 0
-------------------------------------------------------------------------------
Entry : 70
Description : icmp
Src-ip : 192.168.100.0/24
Mgmt-port : cpm
Protocol : icmp
Dst-port : undefined
Src-port : undefined
Router-instance: undefined
Action : permit
Log : enabled
Matches : 0
-------------------------------------------------------------------------------
Entry : 80
Description : Deny all
Src-ip : undefined
Mgmt-port : cpm
Protocol : undefined
Dst-port : undefined
Src-port : undefined
Router-instance: undefined
Action : deny
Log : enabled
Matches : 0
If traffic other than authorized management traffic is permitted through the OOBM interface or IPsec tunnel, this is a finding.
Fix Text (F-88318r1203792_fix)
This requirement is not applicable for the DODIN Backbone.
Configure the management-access-filter, as shown in the example below:
- configure system security management-access-filter
- config>system>security>mgmt-access-filter# ip-filter
- config>system>security>mgmt-access-filter>ip-filter# default-action permit
- config>system>security>mgmt-access-filter>ip-filter# entry 10
- config>system>security>mgmt-access-filter>ip-filter>entry# description SSH
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "tcp"
- config>system>security>mgmt-access-filter>ip-filter>entry# dst-port 22
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit+I29
- config>system>security>mgmt-access-filter>ip-filter# entry 20
- config>system>security>mgmt-access-filter>ip-filter>entry# description "snmp"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "udp"
- config>system>security>mgmt-access-filter>ip-filter>entry# dst-port 161 65535
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# entry 30
- config>system>security>mgmt-access-filter>ip-filter>entry# description "tacacs"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "tcp"
- config>system>security>mgmt-access-filter>ip-filter>entry# dst-port 49 65535
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# entry 50
- config>system>security>mgmt-access-filter>ip-filter>entry# description "snmp-trap"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "udp"
- config>system>security>mgmt-access-filter>ip-filter>entry# dst-port 162
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# entry 60
- config>system>security>mgmt-access-filter>ip-filter>entry# description "syslog"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "udp"
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# dst-port 514
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# entry 70
- config>system>security>mgmt-access-filter>ip-filter>entry# description "icmp"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "icmp"
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# entry 80
- config>system>security>mgmt-access-filter>ip-filter>entry# description "Deny all"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# action deny
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# exit
- config>system>security>mgmt-access-filter# exit all