STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:SV-216683r531086_rule
V-216683
SRG-NET-000205-RTR-000012
CISC-RT-000450
CAT II
10
If the management interface is not a dedicated OOBM interface, it must be configured with both an ingress and egress ACL.
Step 1: Configure an ingress ACL a shown in the example below:
R5(config)#ip access-list extended INGRESS_MANAGEMENT_ACL
R5(config-ext-nacl)#permit tcp any host 10.11.1.22 eq tacacs
R5(config-ext-nacl)#permit tcp any host 10.11.1.22 eq 22
R5(config-ext-nacl)#permit udp any host 10.11.1.22 eq snmp
R5(config-ext-nacl)#permit udp any host 10.11.1.22 eq snmptrap
R5(config-ext-nacl)#permit udp any host 10.11.1.22 eq ntp
R5(config-ext-nacl)#permit icmp any host 10.11.1.22
R5(config-ext-nacl)#deny ip any any log-input
R5(config-ext-nacl)#exit
Step 2: Configure an egress ACL a shown in the example below:
R5(config)#ip access-list extended EGRESS_MANAGEMENT_ACL
R5(config-ext-nacl)#deny ip any any log-input
R5(config-ext-nacl)#exit
Step 3: Apply the ACLs to the OOBM interfaces.
R4(config)#int g0/7
R4(config-if)#ip access-group INGRESS_MANAGEMENT_ACL in
R4(config-if)#ip access-group EGRESS_MANAGEMENT_ACL out
This requirement is only applicable where management access to the router is via an OOBM interface which is not a true OOBM interface.
Step 1: Verify that the managed interface has an inbound and outbound ACL configured.
interface GigabitEthernet0/7
description link to OOBM access switch
ip address 10.11.1.22 255.255.255.0
ip access-group INGRESS_MANAGEMENT_ACL in
ip access-group EGRESS_MANAGEMENT_ACL out
Step 2: Verify that the ingress ACL only allows management and ICMP traffic.
ip access-list extended INGRESS_MANAGEMENT_ACL
permit tcp any host 10.11.1.22 eq tacacs
permit tcp any host 10.11.1.22 eq 22
permit udp any host 10.11.1.22 eq snmp
permit udp any host 10.11.1.22 eq snmptrap
permit udp any host 10.11.1.22 eq ntp
permit icmp any host 10.11.1.22
deny ip any any log-input
Step 3: Verify that the egress ACL blocks any transit traffic.
ip access-list extended EGRESS_MANAGEMENT_ACL
deny ip any any log-input
Note: On Cisco routers, local generated packets are not inspected by outgoing interface access-lists. Hence, the above configuration would simply drop any packets not generated by the router; hence, blocking any transit traffic.
If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding.
V-216683
False
CISC-RT-000450
This requirement is only applicable where management access to the router is via an OOBM interface which is not a true OOBM interface.
Step 1: Verify that the managed interface has an inbound and outbound ACL configured.
interface GigabitEthernet0/7
description link to OOBM access switch
ip address 10.11.1.22 255.255.255.0
ip access-group INGRESS_MANAGEMENT_ACL in
ip access-group EGRESS_MANAGEMENT_ACL out
Step 2: Verify that the ingress ACL only allows management and ICMP traffic.
ip access-list extended INGRESS_MANAGEMENT_ACL
permit tcp any host 10.11.1.22 eq tacacs
permit tcp any host 10.11.1.22 eq 22
permit udp any host 10.11.1.22 eq snmp
permit udp any host 10.11.1.22 eq snmptrap
permit udp any host 10.11.1.22 eq ntp
permit icmp any host 10.11.1.22
deny ip any any log-input
Step 3: Verify that the egress ACL blocks any transit traffic.
ip access-list extended EGRESS_MANAGEMENT_ACL
deny ip any any log-input
Note: On Cisco routers, local generated packets are not inspected by outgoing interface access-lists. Hence, the above configuration would simply drop any packets not generated by the router; hence, blocking any transit traffic.
If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding.
M
4028