STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Router Security Technical Implementation Guide

V-283848

CAT II (Medium)

The Nokia out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

Rule ID

SV-283848r1203793_rule

STIG

Nokia Service Router OS 25.x Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001097

Discussion

The OOBM network is an IP network used exclusively for the transport of Operations, Administration, Maintenance, and Provisioning (OAM&P) data from the network being managed to the Operational Support Systems (OSS) components located at the NOC. Its design provides connectivity to each managed network device, enabling network management traffic to flow between the managed network elements and the NOC. This allows the use of paths separate from those used by the managed network.

Check Content

This requirement is not applicable for the DODIN Backbone.

Review the network topology diagram to determine connectivity between the managed network and the NOC.

Verify the management-access-filter, as shown in the example below: 

- show system security management-access-filter ip-filter

IPv4 Management Access Filter

filter type    : ip
Def. Action    : permit
Admin Status   : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry          : 10
Description    : SSH
Src-ip         : 192.168.100.0/24
Mgmt-port      : cpm
Protocol       : tcp
Dst-port       : 22
Src-port       : undefined
Router-instance: undefined
Action         : permit
Log            : enabled
Matches        : 0
-------------------------------------------------------------------------------
Entry          : 20
Description    : snmp
Src-ip         : 192.168.100.0/24
Mgmt-port      : cpm
Protocol       : udp
Dst-port       : 161
Src-port       : undefined
Router-instance: undefined
Action         : permit
Log            : enabled
Matches        : 0
-------------------------------------------------------------------------------
Entry          : 30
Description    : tacacs
Src-ip         : 192.168.100.10/32
Mgmt-port      : cpm
Protocol       : tcp
Dst-port       : 49
Src-port       : undefined
Router-instance: undefined
Action         : permit
Log            : enabled
Matches        : 0
-------------------------------------------------------------------------------
Entry          : 50
Description    : snmp-trap
Src-ip         : 192.168.100.0/24
Mgmt-port      : cpm
Protocol       : udp
Dst-port       : 162
Src-port       : undefined
Router-instance: undefined
Action         : permit
Log            : enabled
Matches        : 0
-------------------------------------------------------------------------------
Entry          : 60
Description    : syslog
Src-ip         : 192.168.100.0/24
Mgmt-port      : cpm
Protocol       : udp
Dst-port       : 514
Src-port       : undefined
Router-instance: undefined
Action         : permit
Log            : enabled
Matches        : 0
-------------------------------------------------------------------------------
Entry          : 70
Description    : icmp
Src-ip         : 192.168.100.0/24
Mgmt-port      : cpm
Protocol       : icmp
Dst-port       : undefined
Src-port       : undefined
Router-instance: undefined
Action         : permit
Log            : enabled
Matches        : 0
-------------------------------------------------------------------------------
Entry          : 80
Description    : Deny all
Src-ip         : undefined
Mgmt-port      : cpm
Protocol       : undefined
Dst-port       : undefined
Src-port       : undefined
Router-instance: undefined
Action         : deny
Log            : enabled
Matches        : 0

If traffic other than authorized management traffic is permitted through the OOBM interface or IPsec tunnel, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone.

Configure the management-access-filter, as shown in the example below:

- configure system security management-access-filter
- config>system>security>mgmt-access-filter# ip-filter
- config>system>security>mgmt-access-filter>ip-filter# default-action permit
- config>system>security>mgmt-access-filter>ip-filter# entry 10
- config>system>security>mgmt-access-filter>ip-filter>entry# description SSH
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "tcp"
- config>system>security>mgmt-access-filter>ip-filter>entry# dst-port 22
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit+I29
- config>system>security>mgmt-access-filter>ip-filter# entry 20
- config>system>security>mgmt-access-filter>ip-filter>entry# description "snmp"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "udp"
- config>system>security>mgmt-access-filter>ip-filter>entry# dst-port 161 65535
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# entry 30
- config>system>security>mgmt-access-filter>ip-filter>entry# description "tacacs"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "tcp"
- config>system>security>mgmt-access-filter>ip-filter>entry# dst-port 49 65535
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# entry 50
- config>system>security>mgmt-access-filter>ip-filter>entry# description "snmp-trap"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "udp"
- config>system>security>mgmt-access-filter>ip-filter>entry# dst-port 162
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# entry 60
- config>system>security>mgmt-access-filter>ip-filter>entry# description "syslog"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "udp"                                        
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# dst-port 514
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# entry 70
- config>system>security>mgmt-access-filter>ip-filter>entry#  description "icmp"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 192.168.100.0/24
- config>system>security>mgmt-access-filter>ip-filter>entry# protocol "icmp"
- config>system>security>mgmt-access-filter>ip-filter>entry# action permit
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# entry 80
- config>system>security>mgmt-access-filter>ip-filter>entry# description "Deny all"
- config>system>security>mgmt-access-filter>ip-filter>entry# src-port cpm
- config>system>security>mgmt-access-filter>ip-filter>entry# action deny
- config>system>security>mgmt-access-filter>ip-filter>entry# log
- config>system>security>mgmt-access-filter>ip-filter>entry# exit
- config>system>security>mgmt-access-filter>ip-filter# exit
- config>system>security>mgmt-access-filter# exit all