STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco perimeter router must be configured to block all packets with any IP options.

DISA Rule

SV-216998r531086_rule

Vulnerability Number

V-216998

Group Title

SRG-NET-000205-RTR-000015

Rule Version

CISC-RT-000350

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure the router to drop all packets with IP options.

R1(config)#ip access-list extended EXTERNAL_ACL
R1(config-ext-nacl)#15 deny ip any any option any-options

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it will block all packets with IP options.

ip access-list extended EXTERNAL_ACL
permit tcp any any established
deny ip any any option any-options
permit …
…
…
…
deny ip any any log-input

If the router is not configured to drop all packets with IP options, this is a finding.

Vulnerability Number

V-216998

Documentable

False

Rule Version

CISC-RT-000350

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it will block all packets with IP options.

ip access-list extended EXTERNAL_ACL
permit tcp any any established
deny ip any any option any-options
permit …
…
…
…
deny ip any any log-input

If the router is not configured to drop all packets with IP options, this is a finding.

Check Content Reference

M

Target Key

4028

Comments