STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020: The Cisco perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.

DISA Rule

SV-105853r1_rule

Vulnerability Number

V-96715

Group Title

SRG-NET-000364-RTR-000109

Rule Version

CISC-RT-000260

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations.

RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND



RP/0/0/CPU0:R3(config-ipv4-acl)#permit udp host x.12.1.9 host x.12.1.21 eq ntp
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp any any established
RP/0/0/CPU0:R3(config-ipv4-acl)#deny ip any any log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#exit

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if the router allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21.

ipv4 access-list EXTERNAL_ACL_INBOUND



60 permit udp host x.12.1.9 host x.12.1.21 eq ntp
70 permit tcp any any established
80 deny ipv4 any any log-input

If the router does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.

Vulnerability Number

V-96715

Documentable

False

Rule Version

CISC-RT-000260

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if the router allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21.

ipv4 access-list EXTERNAL_ACL_INBOUND



60 permit udp host x.12.1.9 host x.12.1.21 eq ntp
70 permit tcp any any established
80 deny ipv4 any any log-input

If the router does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.

Check Content Reference

M

Target Key

3481

Comments