The RUCKUS ICX out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273614 | RCKS-RTR-000470 | SV-273614r1110925_rule | Medium |
| Description |
| STIG | Date |
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77705r1109862_chk) |
| This requirement is not applicable for the DODIN Backbone. Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path the management traffic traverses. Verify only management traffic is forwarded through the OOBM interface or IPsec tunnel. If an OOBM link is used, verify the only authorized management traffic is transported to the NOC by reviewing the outbound ACL applied to the OOBM interface as shown in the example below: 1. Note the outbound ACL applied to the OOBM interface. interface ethernet 1/1/1 port-name OOBM-to-NOC ip access-group MGMT_TRAFFIC_ACL out logging enable ! 2. Review the outbound ACL and verify only management traffic is forwarded to the NOC. ip access-list extended MGMT_TRAFFIC_ACL sequence 10 permit tcp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq radius sequence 20 permit tcp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq ssh sequence 30 permit udp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp sequence 40 permit udp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq shell sequence 50 permit icmp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 sequence 60 deny ip any any log ! If traffic other than authorized management traffic is permitted through the OOBM interface, this is a finding. |
| Fix Text (F-77610r1109863_fix) |
| This requirement is not applicable for the DODIN Backbone. Configure filters based on port, source IP address, and destination IP address to permit only authorized management traffic into IPsec tunnels or the OOBM interface used for forwarding management data. 1. Configure ACLs. ICX(config)#ip access-list ext MGMT_TRAFFIC_ACL ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit tcp x.1.34.0/24 10.22.2.0/24 eq radius ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit tcp x.1.34.0/24 10.22.2.0/24 eq ssh ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit udp x.1.34.0/24 10.22.2.0/24 eq snmp ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit udp x.1.34.0/24 10.22.2.0/24 eq snmp-t ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit udp x.1.34.0/24 10.22.2.0/24 eq syslog ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#permit icmp x.1.34.0/24 10.22.2.0/24 ICX(config-ext-ipacl-MGMT_TRAFFIC_ACL)#deny ip any any log 2. Apply the ACL to the appropriate interface(s). ICX(config)#interface ethernet 1/1/1 ICX(config-if-e10000-1/1/1)#ip access-group MGMT_TRAFFIC_ACL out logging enable |