STIGQter STIGQter: STIG Summary: Cisco IOS XR Router NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco router must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.

DISA Rule

SV-216542r531088_rule

Vulnerability Number

V-216542

Group Title

SRG-APP-000412-NDM-000331

Rule Version

CISC-ND-001210

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the router to use SSH version 2 as shown in the example below.

RP/0/0/CPU0:R3(config)#ssh server v2

Check Contents

Review the router configuration to verify that SSH version 2 is configured as shown in the example below.

ssh server v2

Note: IOS XR supports SSHv1 and SSHv2. The AES encryption algorithm is supported on the SSHv2 server and client, but not on the SSHv1 server and client. Any requests for an AES cipher sent by an SSHv2 client to an SSHv1 server are ignored, with the server using 3DES instead. The cipher preference for the SSH server follows the order AES128, AES192, AES256, and, finally, 3DES. The server rejects any requests by the client for an unsupported cipher, and the SSH session does not proceed.

If the router is configured to implement SSH version 1, this is a finding.

Vulnerability Number

V-216542

Documentable

False

Rule Version

CISC-ND-001210

Severity Override Guidance

Review the router configuration to verify that SSH version 2 is configured as shown in the example below.

ssh server v2

Note: IOS XR supports SSHv1 and SSHv2. The AES encryption algorithm is supported on the SSHv2 server and client, but not on the SSHv1 server and client. Any requests for an AES cipher sent by an SSHv2 client to an SSHv1 server are ignored, with the server using 3DES instead. The cipher preference for the SSH server follows the order AES128, AES192, AES256, and, finally, 3DES. The server rejects any requests by the client for an unsupported cipher, and the SSH session does not proceed.

If the router is configured to implement SSH version 1, this is a finding.

Check Content Reference

M

Target Key

4023

Comments