STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco router must be configured to have all non-essential capabilities disabled.

DISA Rule

SV-216741r531087_rule

Vulnerability Number

V-216741

Group Title

SRG-NET-000131-RTR-000035

Rule Version

CISC-RT-000070

Severity

CAT III

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Disable the following services if enabled as shown in the example below.

RP/0/0/CPU0:R3(config)#no service ipv4 tcp-small-servers
RP/0/0/CPU0:R3(config)#no service ipv4 udp-small-servers
RP/0/0/CPU0:R3(config)#no http client vrf xxxxx
RP/0/0/CPU0:R3(config)#no telnet ipv4 server

Check Contents

Review the router configuration to verify that the router does not have any unnecessary or non-secure services enabled. For example, the following commands should not be in the configuration:

service ipv4 tcp-small-servers max-servers 10
service ipv4 udp-small-servers max-servers 10
http client vrf xxxxx
telnet vrf default ipv4 server max-servers 1

If any unnecessary services are enabled, this is a finding.

Vulnerability Number

V-216741

Documentable

False

Rule Version

CISC-RT-000070

Severity Override Guidance

Review the router configuration to verify that the router does not have any unnecessary or non-secure services enabled. For example, the following commands should not be in the configuration:

service ipv4 tcp-small-servers max-servers 10
service ipv4 udp-small-servers max-servers 10
http client vrf xxxxx
telnet vrf default ipv4 server max-servers 1

If any unnecessary services are enabled, this is a finding.

Check Content Reference

M

Target Key

4029

Comments