Management protocol scanning

../../_images/sec-mgmt-protocol.png

This task checks that management protocols are unavailable at customer ports and that users are prevented from interfering with equipment management. Network equipment must ignore incoming management traffic from customer ports.

References

The test performed conforms to SAVI section 3.1.7.

Impact

MITM, DoS, Abuse

Test procedure

  1. Customer runs a TCP SYN scan for all addresses on standard ports for FTP, SSH, Telnet, HTTP, and HTTPS.

  2. Customer attempts an SNMP Get, a Ping Request, and an NTP Get for all management addresses.

Fail criteria

  • One of the TCP ports is listening for traffic.

  • Customer receives an answer to an SNMP Get, Ping Request, or NTP Get.

Parameters

General

  • Customer: A Test Agent interface acting as a customer.

  • Management IPs: IP addresses used to manage equipment, separated by commas.