STIGQter STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.

DISA Rule

SV-220442r622190_rule

Vulnerability Number

V-220442

Group Title

SRG-NET-000364-RTR-000109

Rule Version

CISC-RT-000260

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to allow only incoming communications from authorized sources to be routed to authorized destinations.

SW1(config)#ip access-list extended FILTER_PERIMETER
SW1(config-ext-nacl)#permit udp host x.12.1.9 host x.12.1.21 eq ntp
SW1(config-ext-nacl)#end

Check Contents

Review the switch configuration to determine if the switch allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21.

ip access-list extended FILTER_PERIMETER
permit tcp any any established



permit udp host x.12.1.9 host x.12.1.21 eq ntp
deny ip any any log-input

If the switch does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.

Vulnerability Number

V-220442

Documentable

False

Rule Version

CISC-RT-000260

Severity Override Guidance

Review the switch configuration to determine if the switch allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21.

ip access-list extended FILTER_PERIMETER
permit tcp any any established



permit udp host x.12.1.9 host x.12.1.21 eq ntp
deny ip any any log-input

If the switch does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.

Check Content Reference

M

Target Key

4065

Comments