STIGQter: STIG Summary: Router Security Requirements Guide Version: 4 Release: 2 Benchmark Date: 23 Apr 2021:

The perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.

DISA Rule

SV-207113r604135_rule

Vulnerability Number

V-207113

Group Title

SRG-NET-000019

Rule Version

SRG-NET-000019-RTR-000008

Severity

CAT I

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

This requirement is not applicable for the DoDIN Backbone.

Configure the ingress filter of the perimeter router connected to an alternate gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider.

Check Contents

This requirement is not applicable for the DoDIN Backbone.

Review the configuration of each router interface connecting to an alternate gateway.

Verify each permit statement of the ingress filter only permits packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider.

If the ingress filter permits packets with addresses other than those specified, such as destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider, this is a finding.

Vulnerability Number

V-207113

Documentable

False

Rule Version

SRG-NET-000019-RTR-000008

Severity Override Guidance

This requirement is not applicable for the DoDIN Backbone.

Review the configuration of each router interface connecting to an alternate gateway.

Verify each permit statement of the ingress filter only permits packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider.

If the ingress filter permits packets with addresses other than those specified, such as destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider, this is a finding.

Check Content Reference

M

Target Key

2917

Comments