STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to have all non-essential capabilities disabled.

DISA Rule

SV-221077r622190_rule

Vulnerability Number

V-221077

Group Title

SRG-NET-000131-RTR-000035

Rule Version

CISC-RT-000070

Severity

CAT III

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Disable features that should not be enabled unless required for operations.

SW2(config)# no feature telnet
SW2(config)# no feature dhcp
SW2(config)# no feature wccp
SW2(config)# no feature nxapi
SW2(config)# no feature imp

Note: Telnet must always be disabled.

Check Contents

Verify that the switch does not have any unnecessary or non-secure ports, protocols and services enabled. For example, the following features such as telnet should never be enabled, while other features should only be enabled if required for operations.

feature telnet
feature dhcp
feature wccp
feature nxapi
feature imp

If any unnecessary or non-secure ports, protocols, or services are enabled, this is a finding.

Vulnerability Number

V-221077

Documentable

False

Rule Version

CISC-RT-000070

Severity Override Guidance

Verify that the switch does not have any unnecessary or non-secure ports, protocols and services enabled. For example, the following features such as telnet should never be enabled, while other features should only be enabled if required for operations.

feature telnet
feature dhcp
feature wccp
feature nxapi
feature imp

If any unnecessary or non-secure ports, protocols, or services are enabled, this is a finding.

Check Content Reference

M

Target Key

4075

Comments