STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-216773r531087_rule
V-216773
SRG-NET-000205-RTR-000012
CISC-RT-000450
CAT II
10
If the management interface is not a dedicated OOBM interface, it must be configured with both an ingress and egress ACL.
Step 1: Configure an ingress ACL a shown in the example below.
RP/0/0/CPU0:R2(config)#Ipv4 access-list INGRESS_MANAGEMENT_ACL
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp any host 10.11.1.22 eq tacacs
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp any host 10.11.1.22 eq 22
RP/0/0/CPU0:R2(config-ipv4-acl)#permit udp any host 10.11.1.22 eq snmp
RP/0/0/CPU0:R2(config-ipv4-acl)#permit udp any host 10.11.1.22 eq snmptrap
RP/0/0/CPU0:R2(config-ipv4-acl)#permit udp any host 10.11.1.22 eq ntp
RP/0/0/CPU0:R2(config-ipv4-acl)#permit icmp any host 10.11.1.22
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip any any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#exit
Step 2: Configure an egress ACL a shown in the example below.
RP/0/0/CPU0:R2(config)#Ipv4 access-list EGRESS_MANAGEMENT_ACL
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip any any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#exit
Step 3: Apply the ACLs to the OOBM interfaces.
RP/0/0/CPU0:R2(config)#int MgmtEth0/0/CPU0/0
RP/0/0/CPU0:R2(config-if)#ipv4 access-group INGRESS_MANAGEMENT_ACL ingress
RP/0/0/CPU0:R2(config-if)#ipv4 access-group EGRESS_MANAGEMENT_ACL egress
This requirement is only applicable where management access to the router is via an OOBM interface which is not a true OOBM interface.
Step 1: Verify that the managed interface has an inbound and outbound ACL configured.
interface MgmtEth0/0/CPU0/0
ipv4 address 10.1.13.4 255.255.255.0
ipv4 access-group INGRESS_MANAGEMENT_ACL ingress
ipv4 access-group EGRESS_MANAGEMENT_ACL egress
Step 2: Verify that the ingress ACL only allows management and ICMP traffic.
ipv4 access-list INGRESS_MANAGEMENT_ACL
10 permit tcp any host 10.11.1.22 eq tacacs
20 permit tcp any host 10.11.1.22 eq ssh
30 permit udp any host 10.11.1.22 eq snmp
40 permit udp any host 10.11.1.22 eq snmptrap
50 permit udp any host 10.11.1.22 eq ntp
60 permit icmp any host 10.11.1.22
70 deny ipv4 any any log-input
Step 3: Verify that the egress ACL blocks any transit traffic.
ipv4 access-list EGRESS_MANAGEMENT_ACL
10 deny ipv4 any any log-input
Note: On Cisco routers, local generated packets are not inspected by outgoing interface access-lists. Hence, the above configuration would simply drop any packets not generated by the router; hence, blocking any transit traffic.
If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding.
V-216773
False
CISC-RT-000450
This requirement is only applicable where management access to the router is via an OOBM interface which is not a true OOBM interface.
Step 1: Verify that the managed interface has an inbound and outbound ACL configured.
interface MgmtEth0/0/CPU0/0
ipv4 address 10.1.13.4 255.255.255.0
ipv4 access-group INGRESS_MANAGEMENT_ACL ingress
ipv4 access-group EGRESS_MANAGEMENT_ACL egress
Step 2: Verify that the ingress ACL only allows management and ICMP traffic.
ipv4 access-list INGRESS_MANAGEMENT_ACL
10 permit tcp any host 10.11.1.22 eq tacacs
20 permit tcp any host 10.11.1.22 eq ssh
30 permit udp any host 10.11.1.22 eq snmp
40 permit udp any host 10.11.1.22 eq snmptrap
50 permit udp any host 10.11.1.22 eq ntp
60 permit icmp any host 10.11.1.22
70 deny ipv4 any any log-input
Step 3: Verify that the egress ACL blocks any transit traffic.
ipv4 access-list EGRESS_MANAGEMENT_ACL
10 deny ipv4 any any log-input
Note: On Cisco routers, local generated packets are not inspected by outgoing interface access-lists. Hence, the above configuration would simply drop any packets not generated by the router; hence, blocking any transit traffic.
If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding.
M
4029