STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020: The Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.

DISA Rule

SV-105947r1_rule

Vulnerability Number

V-96809

Group Title

SRG-NET-000205-RTR-000007

Rule Version

CISC-RT-000730

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.

Step 1: Configure an ingress ACL to discard and log packets destined to the IP core address space.

RP/0/0/CPU0:R3(config)#Ipv4 access-list BLOCK_TO_CORE
RP/0/0/CPU0:R3(config-ipv4-acl)#deny tcp any any eq tacacs log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#deny ipv4 any 10.1.x.0 0.0.255.255 log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#end

Step 2: Apply the ACL inbound to all external or CE-facing interfaces.

RP/0/0/CPU0:R3(config)#int g1/1/0/0
RP/0/0/CPU0:R3(config-if)#ipv4 access-group BLOCK_TO_CORE in
RP/0/0/CPU0:R3(config-if)#end

Check Contents

Step 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces.

interface GigabitEthernet1/1/0/0
ipv4 address x.1.12.2 255.255.255.252
ipv4 access-group BLOCK_TO_CORE ingress

Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space.

Ipv4 access-list BLOCK_TO_CORE
10 deny ipv4 any 10.1.x.0 0.0.255.255 log-input
20 permit ipv4 any any
!

If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent neighbors.

Vulnerability Number

V-96809

Documentable

False

Rule Version

CISC-RT-000730

Severity Override Guidance

Step 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces.

interface GigabitEthernet1/1/0/0
ipv4 address x.1.12.2 255.255.255.252
ipv4 access-group BLOCK_TO_CORE ingress

Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space.

Ipv4 access-list BLOCK_TO_CORE
10 deny ipv4 any 10.1.x.0 0.0.255.255 log-input
20 permit ipv4 any any
!

If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent neighbors.

Check Content Reference

M

Target Key

3481

Comments