STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.

DISA Rule

SV-216748r531087_rule

Vulnerability Number

V-216748

Group Title

SRG-NET-000362-RTR-000115

Rule Version

CISC-RT-000190

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Disable ICMP redirects on all external interfaces as shown in the example below.

RP/0/0/CPU0:R3(config)#int g0/0/0/1
RP/0/0/CPU0:R3(config-if)#no ipv4 redirects

Check Contents

Review the router configuration to verify that ipv4 redirects command has not been configured on any external interface as shown in the example below.

interface GigabitEthernet0/0/0/1
ipv4 address x.11.1.2 255.255.255.252
ipv4 redirects

If ICMP Redirect messages are enabled on any external interfaces, this is a finding.

Vulnerability Number

V-216748

Documentable

False

Rule Version

CISC-RT-000190

Severity Override Guidance

Review the router configuration to verify that ipv4 redirects command has not been configured on any external interface as shown in the example below.

interface GigabitEthernet0/0/0/1
ipv4 address x.11.1.2 255.255.255.252
ipv4 redirects

If ICMP Redirect messages are enabled on any external interfaces, this is a finding.

Check Content Reference

M

Target Key

4029

Comments