STIGQter: STIG Summary: Cisco IOS XR Router NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco router must be configured to be configured to prohibit the use of all unnecessary and nonsecure functions and services.

DISA Rule

SV-216529r531088_rule

Vulnerability Number

V-216529

Group Title

SRG-APP-000142-NDM-000245

Rule Version

CISC-ND-000470

Severity

CAT I

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

Disable the following services if enabled as shown in the example below.

RP/0/0/CPU0:R3(config)#no service ipv4 tcp-small-servers
RP/0/0/CPU0:R3(config)#no service ipv4 udp-small-servers
RP/0/0/CPU0:R3(config)#no http client vrf xxxxx
RP/0/0/CPU0:R3(config)#no telnet ipv4 server

Check Contents

Verify that the router does not have any unnecessary or non-secure ports, protocols and services enabled. For example, the following commands should not be in the configuration:

service ipv4 tcp-small-servers max-servers 10
service ipv4 udp-small-servers max-servers 10
http client vrf xxxxx
telnet vrf default ipv4 server max-servers 1

If any unnecessary or non-secure ports, protocols, or services are enabled, this is a finding.

Vulnerability Number

V-216529

Documentable

False

Rule Version

CISC-ND-000470

Severity Override Guidance

Verify that the router does not have any unnecessary or non-secure ports, protocols and services enabled. For example, the following commands should not be in the configuration:

service ipv4 tcp-small-servers max-servers 10
service ipv4 udp-small-servers max-servers 10
http client vrf xxxxx
telnet vrf default ipv4 server max-servers 1

If any unnecessary or non-secure ports, protocols, or services are enabled, this is a finding.

Check Content Reference

M

Target Key

4023

Comments