Ensuring nonlocal maintenance is restricted
Rule Title: Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
STIG ID: RICX-DM-000134
Rule ID: SV-77471r1_rule Severity: CAT II
Vuln ID: V-62981 Class: Unclass
This security issue requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions.
Verifying nonlocal maintenance is restricted
Verify that RiOS is configured to implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
1. Connect to the CLI and enter these commands:
enable
show configuration full
2. Press the space bar to scroll through the configuration and verify that these commands are listed:
no telnet-server enable
ssh server enable
web enable
no web http enable
web https enable
If any one of the above settings is missing from the configuration, this is a security vulnerability finding.
Configuring the system so that nonlocal maintenance is restricted
Configure RiOS to implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
• Connect to the CLI and enter these commands:
enable
config terminal
no telnet-server enable
ssh server enable
ssh server allowed-cyphers aes128-cbc, 3des-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
web enable
no web http enable
web https enable
write memory
exit
exit