STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020:

A Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic.

DISA Rule

SV-80853r1_rule

Vulnerability Number

V-66363

Group Title

NET2005

Rule Version

NET2005

Severity

CAT III

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

Configure a QoS policy on each router to provide assured services for control plane traffic and C2 real-time services.

Check Contents

Review each router and verify that a QoS policy has been configured to provide preferred treatment for control plane traffic and C2 real-time services.

Step 1: Verify that the class-maps are configured to match on DSCP values that have been set at the edges as shown in the configuration example below:

class-map match-all CONTROL_PLANE
match ip dscp 48
class-map match-all C2_VOICE
match ip dscp 47
class-map match-all VOICE
match ip dscp ef
class-map match-all VIDEO
match ip dscp af4
class-map match-all PREFERRED_DATA
match ip dscp af3

Step 2: Verify that the policy map applied to the core-layer-facing interface reserves the bandwidth for each traffic type as shown in the following example:

policy-map QOS_POLICY
class CONTROL_PLANE
priority percent 10
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class class-default
bandwidth percent 15

Step 3: Verify that an output service policy is bound to the core-layer-facing interface as shown in the configuration example below:

interface GigabitEthernet1/1
ip address 10.2.0.2 255.255.255.252
service-policy output QOS_POLICY

If a QoS policy has not been implemented within the JIE WAN infrastructure to provide assured services for control plane traffic and C2 real-time services, this is a finding.

Vulnerability Number

V-66363

Documentable

False

Rule Version

NET2005

Severity Override Guidance

Review each router and verify that a QoS policy has been configured to provide preferred treatment for control plane traffic and C2 real-time services.

Step 1: Verify that the class-maps are configured to match on DSCP values that have been set at the edges as shown in the configuration example below:

class-map match-all CONTROL_PLANE
match ip dscp 48
class-map match-all C2_VOICE
match ip dscp 47
class-map match-all VOICE
match ip dscp ef
class-map match-all VIDEO
match ip dscp af4
class-map match-all PREFERRED_DATA
match ip dscp af3

Step 2: Verify that the policy map applied to the core-layer-facing interface reserves the bandwidth for each traffic type as shown in the following example:

policy-map QOS_POLICY
class CONTROL_PLANE
priority percent 10
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class class-default
bandwidth percent 15

Step 3: Verify that an output service policy is bound to the core-layer-facing interface as shown in the configuration example below:

interface GigabitEthernet1/1
ip address 10.2.0.2 255.255.255.252
service-policy output QOS_POLICY

If a QoS policy has not been implemented within the JIE WAN infrastructure to provide assured services for control plane traffic and C2 real-time services, this is a finding.

Check Content Reference

M

Target Key

838

Comments