STIGQter STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco router must be configured to log all packets that have been dropped at interfaces via an ACL.

DISA Rule

SV-216568r531085_rule

Vulnerability Number

V-216568

Group Title

SRG-NET-000078-RTR-000001

Rule Version

CISC-RT-000200

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure ACLs to log packets that are dropped as shown in the example below.

R5(config)#ip access-list extended INGRESS_FILTER



R5(config-ext-nacl)#deny ip any any log

Check Contents

Review all Access Control Lists(ACLs) used to filter traffic and verify that packets being dropped are logged as shown in the configuration below.

ip access-list extended INGRESS_FILTER
permit tcp any any established
permit tcp host x.11.1.1 eq bgp host x.11.1.2
permit tcp host x.11.1.1 host x.11.1.2 eq bgp
permit tcp any host x.11.1.5 eq www
permit icmp host x.11.1.1 host x.11.1.2 echo
permit icmp any any echo-reply



deny ip any any log

If packets being dropped at interfaces are not logged, this is a finding.

Vulnerability Number

V-216568

Documentable

False

Rule Version

CISC-RT-000200

Severity Override Guidance

Review all Access Control Lists(ACLs) used to filter traffic and verify that packets being dropped are logged as shown in the configuration below.

ip access-list extended INGRESS_FILTER
permit tcp any any established
permit tcp host x.11.1.1 eq bgp host x.11.1.2
permit tcp host x.11.1.1 host x.11.1.2 eq bgp
permit tcp any host x.11.1.5 eq www
permit icmp host x.11.1.1 host x.11.1.2 echo
permit icmp any any echo-reply



deny ip any any log

If packets being dropped at interfaces are not logged, this is a finding.

Check Content Reference

M

Target Key

4027

Comments