STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.

DISA Rule

SV-216757r531087_rule

Vulnerability Number

V-216757

Group Title

SRG-NET-000019-RTR-000009

Rule Version

CISC-RT-000290

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Remove any BGP neighbors belonging to the alternate gateway service provider and configure a static route to forward Internet bound traffic to the alternate gateway as shown in the example below.

R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14

Check Contents

This requirement is not applicable for the DODIN Backbone.

Step 1: Configure the ingress ACL of the perimeter router connected to an alternate gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider as shown in the example below.

RP/0/0/CPU0:R2(config)#ip access-list ISP_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any any established
RP/0/0/CPU0:R2(config-ipv4-acl)# permit icmp host x.12.1.16 host x.12.1.17 echo
RP/0/0/CPU0:R2(config-ipv4-acl)# permit icmp host x.12.1.16 host x.12.1.17 echo-reply
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any host x.12.1.22 eq www
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any host x.12.1.23 eq www
RP/0/0/CPU0:R2(config-ipv4-acl)# permit 50 any host x.12.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)# permit 51 any host x.12.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)# deny ip any any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#end

Step 2: Apply the ACL inbound on the ISP-facing interface.

RP/0/0/CPU0:R3(config)#int g0/0/0/2
RP/0/0/CPU0:R3(config-if)#ipv4 access-group ISP_ACL_INBOUND in
RP/0/0/CPU0:R3(config-if)#end

If any BGP neighbors belonging to the alternate gateway service provider exist, this is a finding.

Vulnerability Number

V-216757

Documentable

False

Rule Version

CISC-RT-000290

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Step 1: Configure the ingress ACL of the perimeter router connected to an alternate gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider as shown in the example below.

RP/0/0/CPU0:R2(config)#ip access-list ISP_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any any established
RP/0/0/CPU0:R2(config-ipv4-acl)# permit icmp host x.12.1.16 host x.12.1.17 echo
RP/0/0/CPU0:R2(config-ipv4-acl)# permit icmp host x.12.1.16 host x.12.1.17 echo-reply
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any host x.12.1.22 eq www
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any host x.12.1.23 eq www
RP/0/0/CPU0:R2(config-ipv4-acl)# permit 50 any host x.12.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)# permit 51 any host x.12.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)# deny ip any any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#end

Step 2: Apply the ACL inbound on the ISP-facing interface.

RP/0/0/CPU0:R3(config)#int g0/0/0/2
RP/0/0/CPU0:R3(config-if)#ipv4 access-group ISP_ACL_INBOUND in
RP/0/0/CPU0:R3(config-if)#end

If any BGP neighbors belonging to the alternate gateway service provider exist, this is a finding.

Check Content Reference

M

Target Key

4029

Comments