STIGQter: STIG Summary: Cisco IOS XR Router NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.

DISA Rule

SV-216523r539428_rule

Vulnerability Number

V-216523

Group Title

SRG-APP-000038-NDM-000213

Rule Version

CISC-ND-000140

Severity

CAT II

CCI(s)

• CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the Cisco router to restrict management access to specific IP addresses via SSH as shown in the example below.

RP/0/0/CPU0:ios(config)#ipv4 access-list MANAGEMENT_NET
RP/0/0/CPU0:ios(config-ipv4-acl)#permit ipv4 10.1.1.0 255.255.255.0 any
RP/0/0/CPU0:ios(config-ipv4-acl)#deny ipv4 any any log-input
RP/0/0/CPU0:ios(config-ipv4-acl)#exit
RP/0/0/CPU0:R3(config)#vty default 0 4
RP/0/0/CPU0:R3(config)#line default
RP/0/0/CPU0:R3(config-line)#transport input ssh
RP/0/0/CPU0:R3(config-line)#access-class MANAGEMENT_NET in
RP/0/0/CPU0:R3(config-line)#end

Check Contents

Review the Cisco router configuration to verify that it is compliant with this requirement.

Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below.

line default
access-class ingress MANAGEMENT_NET
transport input ssh
!
vty-pool default 0 4

Step 2: Verify that the ACL permits only hosts from the management network to access the router.

ipv4 access-list MANAGEMENT_NET
10 permit ipv4 10.1.1.0 255.255.255.0 any
20 deny ipv4 any any log-input

If the Cisco router is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.

Vulnerability Number

V-216523

Documentable

False

Rule Version

CISC-ND-000140

Severity Override Guidance

Review the Cisco router configuration to verify that it is compliant with this requirement.

Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below.

line default
access-class ingress MANAGEMENT_NET
transport input ssh
!
vty-pool default 0 4

Step 2: Verify that the ACL permits only hosts from the management network to access the router.

ipv4 access-list MANAGEMENT_NET
10 permit ipv4 10.1.1.0 255.255.255.0 any
20 deny ipv4 any any log-input

If the Cisco router is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.

Check Content Reference

M

Target Key

4023

Comments