STIGQter: STIG Summary: Router Security Requirements Guide Version: 4 Release: 2 Benchmark Date: 23 Apr 2021:

The router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.

DISA Rule

SV-207144r604135_rule

Vulnerability Number

V-207144

Group Title

SRG-NET-000205

Rule Version

SRG-NET-000205-RTR-000012

Severity

CAT II

CCI(s)

• CCI-001097 - The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Weight

10

Fix Recommendation

If the management interface is a routed interface, it must be configured with both an ingress and egress ACL.

Check Contents

Step 1: Verify that the managed interface has an inbound and outbound ACL configured.

Step 2: Verify that the ingress filter only allows management, IGP, and ICMP traffic.

Caveat: If the management interface is a true OOBM interface, this requirement is not applicable.

If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding.

Vulnerability Number

V-207144

Documentable

False

Rule Version

SRG-NET-000205-RTR-000012

Severity Override Guidance

Step 1: Verify that the managed interface has an inbound and outbound ACL configured.

Step 2: Verify that the ingress filter only allows management, IGP, and ICMP traffic.

Caveat: If the management interface is a true OOBM interface, this requirement is not applicable.

If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding.

Check Content Reference

M

Target Key

2917

Comments