STIGQter: STIG Summary: Router Security Requirements Guide Version: 4 Release: 2 Benchmark Date: 23 Apr 2021:

The PE router must be configured to block any traffic that is destined to IP core infrastructure.

DISA Rule

SV-207139r604135_rule

Vulnerability Number

V-207139

Group Title

SRG-NET-000205

Rule Version

SRG-NET-000205-RTR-000007

Severity

CAT I

CCI(s)

• CCI-001097 - The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Weight

10

Fix Recommendation

Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.

Check Contents

Review the router configuration to verify that an ingress ACL is applied to all CE-facing interfaces.

Verify that the ingress ACL rejects and logs packets destined to the IP core address block.

If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent peers.

Vulnerability Number

V-207139

Documentable

False

Rule Version

SRG-NET-000205-RTR-000007

Severity Override Guidance

Review the router configuration to verify that an ingress ACL is applied to all CE-facing interfaces.

Verify that the ingress ACL rejects and logs packets destined to the IP core address block.

If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent peers.

Check Content Reference

M

Target Key

2917

Comments