STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes.

DISA Rule

SV-220443r622190_rule

Vulnerability Number

V-220443

Group Title

SRG-NET-000364-RTR-000110

Rule Version

CISC-RT-000270

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Configure the perimeter to block inbound packets with Bogon source addresses.

Step 1: Configure an ACL containing the current Bogon prefixes as shown below:

SW1(config)#ip access-list extended FILTER_PERIMETER
SW1(config-ext-nacl)#deny ip 0.0.0.0 0.255.255.255 any log-input
SW1(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any log-input
SW1(config-ext-nacl)#deny ip 100.64.0.0 0.63.255.255 any log-input
SW1(config-ext-nacl)#deny ip 127.0.0.0 0.255.255.255 any log-input
SW1(config-ext-nacl)#deny ip 169.254.0.0 0.0.255.255 any log-input
SW1(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any log-input
SW1(config-ext-nacl)#deny ip 192.0.0.0 0.0.0.255 any log-input
SW1(config-ext-nacl)#deny ip 192.0.2.0 0.0.0.255 any log-input
SW1(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any log-input
SW1(config-ext-nacl)#deny ip 198.18.0.0 0.1.255.255 any log-input
SW1(config-ext-nacl)#deny ip 198.51.100.0 0.0.0.255 any log-input
SW1(config-ext-nacl)#deny ip 203.0.113.0 0.0.0.255 any log-input
SW1(config-ext-nacl)#deny ip 224.0.0.0 31.255.255.255 any log-input
SW1(config-ext-nacl)#deny ip 240.0.0.0 31.255.255.255 any log-input
SW1(config-ext-nacl)#permit tcp any any established
SW1(config-ext-nacl)#permit icmp host x.12.1.9 host x.12.1.10 echo
SW1(config-ext-nacl)#permit icmp host x.12.1.9 host x.12.1.10 echo-reply
…
…
…
SW1(config-ext-nacl)#deny ip any any log-input
SW1(config-ext-nacl)#end

Step 2: Apply the ACL inbound on all external interfaces.

SW1(config)#int g0/0
SW1(config-if)#ip access-group FILTER_PERIMETER in
SW1(config-if)#end

Check Contents

Review the switch configuration to verify that an ingress access control list (ACL) applied to all external interfaces is blocking packets with Bogon source addresses.

Step 1: Verify that an ACL has been configured containing the current Bogon prefixes as shown in the example below:

ip access-list extended FILTER_PERIMETER
deny ip 0.0.0.0 0.255.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 100.64.0.0 0.63.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.0.0.0 0.0.0.255 any log-input
deny ip 192.0.2.0 0.0.0.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 198.18.0.0 0.1.255.255 any log-input
deny ip 198.51.100.0 0.0.0.255 any log-input
deny ip 203.0.113.0 0.0.0.255 any log-input
deny ip 224.0.0.0 31.255.255.255 any log-input
permit tcp any any established
permit icmp host x.12.1.9 host x.12.1.10 echo
permit icmp host x.12.1.9 host x.12.1.10 echo-reply
…
…
…
deny ip any any log-input

Step 2: Verify that the inbound ACL applied to all external interfaces will block all traffic from Bogon source addresses.

interface GigabitEthernet0/1
description Link to DISN
ip address x.12.1.10 255.255.255.254
ip access-group FILTER_PERIMETER in

If the switch is not configured to block inbound packets with source Bogon IP address prefixes, this is a finding.

Vulnerability Number

V-220443

Documentable

False

Rule Version

CISC-RT-000270

Severity Override Guidance

Review the switch configuration to verify that an ingress access control list (ACL) applied to all external interfaces is blocking packets with Bogon source addresses.

Step 1: Verify that an ACL has been configured containing the current Bogon prefixes as shown in the example below:

ip access-list extended FILTER_PERIMETER
deny ip 0.0.0.0 0.255.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 100.64.0.0 0.63.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.0.0.0 0.0.0.255 any log-input
deny ip 192.0.2.0 0.0.0.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 198.18.0.0 0.1.255.255 any log-input
deny ip 198.51.100.0 0.0.0.255 any log-input
deny ip 203.0.113.0 0.0.0.255 any log-input
deny ip 224.0.0.0 31.255.255.255 any log-input
permit tcp any any established
permit icmp host x.12.1.9 host x.12.1.10 echo
permit icmp host x.12.1.9 host x.12.1.10 echo-reply
…
…
…
deny ip any any log-input

Step 2: Verify that the inbound ACL applied to all external interfaces will block all traffic from Bogon source addresses.

interface GigabitEthernet0/1
description Link to DISN
ip address x.12.1.10 255.255.255.254
ip access-group FILTER_PERIMETER in

If the switch is not configured to block inbound packets with source Bogon IP address prefixes, this is a finding.

Check Content Reference

M

Target Key

4065

Comments