STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.

DISA Rule

SV-216754r531087_rule

Vulnerability Number

V-216754

Group Title

SRG-NET-000364-RTR-000109

Rule Version

CISC-RT-000260

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations.

RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND
…
…
…
RP/0/0/CPU0:R3(config-ipv4-acl)#permit udp host x.12.1.9 host x.12.1.21 eq ntp
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp any any established
RP/0/0/CPU0:R3(config-ipv4-acl)#deny ip any any log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#exit

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if the router allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21.

ipv4 access-list EXTERNAL_ACL_INBOUND
…
…
…
60 permit udp host x.12.1.9 host x.12.1.21 eq ntp
70 permit tcp any any established
80 deny ipv4 any any log-input

If the router does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.

Vulnerability Number

V-216754

Documentable

False

Rule Version

CISC-RT-000260

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if the router allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21.

ipv4 access-list EXTERNAL_ACL_INBOUND
…
…
…
60 permit udp host x.12.1.9 host x.12.1.21 eq ntp
70 permit tcp any any established
80 deny ipv4 any any log-input

If the router does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.

Check Content Reference

M

Target Key

4029

Comments