Rule ID
SV-283838r1203763_rule
Version
V1R1
CCIs
The use of Plain Old Telephone Service (POTS) lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network. Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port; thus, the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.
Review the configuration and verify Bluetooth is powered off and the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected to it. Use the command below and verify "Power State" is set to "off": - show system bluetooth | match "Power State" Power State : off Pairing Button : Disabled If the power state is not set to "off", this is a finding. Use the command below to verify the auxiliary/management port "Admin State" is down: - show port A/3 | match "Admin State" Admin State : down Oper Duplex : N/A If the auxiliary port is not disabled or is not connected to a secured modem when it is enabled, this is a finding.
Disable the auxiliary port and disable Bluetooth using the following commands. - configure port A/3 shutdown - configure system bluetooth power off If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.