Details

The ‘access-class’ setting restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the networking devices associated with addresses in an access list.

Rationale:

Restricting the type of network devices, associated with the addresses on the access-list, further restricts remote access to those devices authorized to manage the device and reduces the risk of unauthorized access.

Impact:

Applying ‘access’class’ to line VTY further restricts remote access to only those devices authorized to manage the device and reduces the risk of unauthorized access. Conversely, using VTY lines with ‘access class’ restrictions increases the risks of unauthorized access.

Solution

Configure remote management access control restrictions for all VTY lines.

hostname(config)#line vty
hostname(config-line)# access-class in

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3160

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.

References

• 800-53|SC-7(15)
• CSCv6|11.7
• CSCv7|11.7

Source

• Tenable.com/audits