STIGQter STIGQter: STIG Summary: Infrastructure Router Security Technical Implementation Guide Cisco

Version: 8

Release: 29 Benchmark Date: 25 Jan 2019

CheckedNameTitle
SV-15474r3_ruleThe network device must log all access control lists (ACL) deny statements.
SV-3008r1_ruleThe IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.
SV-3012r4_ruleNetwork devices must be password protected.
SV-3013r5_ruleNetwork devices must display the DoD-approved logon banner warning.
SV-15453r2_ruleThe network element must timeout management connections for administrative access after 10 minutes or less of inactivity.
SV-15330r2_ruleThe network element must have DNS servers defined if it is configured as a client resolver.
SV-15332r2_ruleThe network element must only allow SNMP access from addresses belonging to the management network.
SV-15290r2_ruleThe network element must authenticate all IGP peers.
SV-3043r4_ruleThe network device must use different SNMP community names or groups for various levels of read and write access.
SV-3056r7_ruleGroup accounts must not be configured for use on the network device.
SV-15471r4_ruleAuthorized accounts must be assigned the least privilege level necessary to perform assigned duties.
SV-3058r5_ruleUnauthorized accounts must not be configured for access to the network device.
SV-41449r2_ruleThe network element must be configured to ensure passwords are not viewable when displaying configuration information.
SV-15451r4_ruleManagement connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
SV-15455r3_ruleThe network element must log all attempts to establish a management connection for administrative access.
SV-3072r3_ruleThe running configuration must be synchronized with the startup configuration after changes have been made and implemented.
SV-3078r3_ruleNetwork devices must have TCP and UDP small servers disabled.
SV-15305r2_ruleThe network element must have the Finger service disabled.
SV-3080r4_ruleThe Configuration auto-loading feature must be disabled when connected to an operational network.
SV-15316r2_ruleThe router must have IP source routing disabled.
SV-3083r3_ruleIP directed broadcast must be disabled on all layer 3 interfaces.
SV-41467r2_ruleThe network element must have HTTP service for administrative access disabled.
SV-3086r3_ruleBOOTP services must be disabled.
SV-3143r4_ruleNetwork devices must not have any default manufacturer passwords.
SV-15302r2_ruleThe network element must be running a current and supported operating system with all IAVMs addressed.
SV-15448r4_ruleThe network devices must require authentication prior to establishing a management connection for administrative access.
SV-3196r4_ruleThe network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
SV-3210r4_ruleThe network device must not use the default or well-known SNMP community strings public and private.
SV-15469r6_ruleIn the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
SV-15444r2_ruleThe network element must time out access to the console port after 10 minutes or less of inactivity.
SV-30086r3_ruleThe network device must only allow SNMP read-only access.
SV-19270r4_ruleThe network device must require authentication for console access.
SV-15476r2_ruleThe network element must log all messages except debugging and send all log data to a syslog server.
SV-15449r3_ruleThe network element must only allow management connections for administrative access from hosts residing in to the management network.
SV-15457r2_ruleThe network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
SV-15458r2_ruleThe network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface.
SV-5614r3_ruleNetwork devices must have the PAD service disabled.
SV-5615r3_ruleNetwork devices must have TCP Keep-Alives enabled for TCP sessions.
SV-5616r3_ruleNetwork devices must have identification support disabled.
SV-5618r3_ruleGratuitous ARP must be disabled.
SV-5645r4_ruleCisco Express Forwarding (CEF) must be enabled on all supported Cisco Layer 3 IP devices.
SV-15435r4_ruleThe network device must drop half-open TCP connections through filtering thresholds or timeout periods.
SV-7363r3_ruleAn Infinite Lifetime key must be set to never expire. The lifetime of the key will be configured as infinite for route authentication, if supported by the current approved router software version.
SV-15446r2_ruleThe network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
SV-15301r4_ruleNetwork devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.
SV-15314r2_ruleThe administrator must ensure BSD r command services are disabled.
SV-16089r4_ruleThe network element must authenticate all NTP messages received from NTP servers and peers.
SV-16091r2_ruleThe router must use its loopback or OOB management interface address as the source address when originating TACACS+ or RADIUS traffic.
SV-15340r2_ruleThe router must use its loopback or OOB management interface address as the source address when originating syslog traffic.
SV-15343r2_ruleThe router must use its loopback or OOB management interface address as the source address when originating NTP traffic.
SV-15346r2_ruleThe router must use its loopback or OOB management interface address as the source address when originating SNMP traffic.
SV-15349r2_ruleThe router must use its loopback or OOB management interface address as the source address when originating NetFlow traffic.
SV-15352r3_ruleThe network device must use its loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.
SV-15359r2_ruleThe router must use its loopback interface address as the source address for all iBGP peering sessions.
SV-15397r2_ruleThe network device must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF.
SV-15425r1_ruleThe administrator will enable CEF to improve router stability during a SYN flood attack in an IPv6 enclave.
SV-15429r1_ruleThe network element must be configured from accepting any outbound IP packet that contains an illegitimate address in the source address field via egress ACL or by enabling Unicast Reverse Path Forwarding in an IPv6 enclave.
SV-15460r2_ruleThe network element must not use SSH Version 1 for administrative access.
SV-16068r2_ruleISATAP tunnels must terminate at an interior router.
SV-16259r4_ruleNetwork devices must use two or more authentication servers for the purpose of granting administrative access.
SV-16261r5_ruleThe emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
SV-18945r2_ruleIPSec tunnels used to transit management traffic must be restricted to only the authorized management packets based on destination and source IP address.
SV-19063r1_ruleGateway configuration at the remote VPN end-point is a not a mirror of the local gateway
SV-19297r1_ruleIGP instances configured on the OOBM gateway router do not peer only with their appropriate routing domain
SV-19299r1_ruleThe routes from the two IGP domains are redistributed to each other.
SV-19301r2_ruleTraffic from the managed network is able to access the OOBM gateway router
SV-19303r1_ruleTraffic from the managed network will leak into the management network via the gateway router interface connected to the OOBM backbone.
SV-19305r1_ruleManagement network traffic is leaking into the managed network.
SV-20205r2_ruleThe network element’s OOBM interface must be configured with an OOBM network address.
SV-20208r1_ruleThe management interface is not configured with both an ingress and egress ACL.
SV-19334r2_ruleThe network element’s management interface is not configured as passive for the IGP instance deployed in the managed network.
SV-19308r1_ruleAn inbound ACL is not configured for the management network sub-interface of the trunk link to block non-management traffic.
SV-19310r1_ruleTraffic entering the tunnels is not restricted to only the authorized management packets based on destination address.
SV-19313r1_ruleManagement traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.
SV-19315r1_ruleThe core router within the managed network has not been configured to provide preferred treatment for management traffic that must traverse several nodes to reach the management network.
SV-20061r3_ruleServer VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security posture.
SV-20504r2_ruleDefault routes must not be directed to the tunnel entry point.
SV-21167r2_ruleThe router must have control plane protection enabled.
SV-21169r1_ruleThe administrator must ensure that multicast routers are configured to establish boundaries for Admin-local or Site-local scope multicast traffic.
SV-41497r1_ruleThe network element must use two or more NTP servers to synchronize time.
SV-38003r3_ruleA service or feature that calls home to the vendor must be disabled.
SV-40312r1_ruleThe administrator must ensure that Protocol Independent Multicast (PIM) is disabled on all interfaces that are not required to support multicast routing.
SV-40315r1_ruleThe administrator must ensure that a PIM neighbor filter is bound to all interfaces that have PIM enabled.
SV-40389r1_ruleThe administrator must ensure that the maximum hop limit is at least 32.
SV-40454r1_ruleThe administrator must ensure the 6-to-4 router is configured to drop any IPv4 packets with protocol 41 received from the internal network.
SV-40539r1_ruleThe administrator must ensure the 6-to-4 router is configured to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.
SV-40556r1_ruleThe administrator must ensure the that all L2TPv3 sessions are authenticated prior to transporting traffic.
SV-41555r2_ruleThe network element must authenticate all BGP peers within the same or between autonomous systems (AS).