STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.

DISA Rule

SV-216757r531087_rule

Vulnerability Number

V-216757

Group Title

SRG-NET-000019-RTR-000009

Rule Version

CISC-RT-000290

Severity

CAT I

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Remove any BGP neighbors belonging to the alternate gateway service provider and configure a static route to forward Internet bound traffic to the alternate gateway as shown in the example below.

R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14

Check Contents

This requirement is not applicable for the DODIN Backbone.

Step 1: Configure the ingress ACL of the perimeter router connected to an alternate gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider as shown in the example below.

RP/0/0/CPU0:R2(config)#ip access-list ISP_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any any established
RP/0/0/CPU0:R2(config-ipv4-acl)# permit icmp host x.12.1.16 host x.12.1.17 echo
RP/0/0/CPU0:R2(config-ipv4-acl)# permit icmp host x.12.1.16 host x.12.1.17 echo-reply
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any host x.12.1.22 eq www
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any host x.12.1.23 eq www
RP/0/0/CPU0:R2(config-ipv4-acl)# permit 50 any host x.12.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)# permit 51 any host x.12.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)# deny ip any any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#end

Step 2: Apply the ACL inbound on the ISP-facing interface.

RP/0/0/CPU0:R3(config)#int g0/0/0/2
RP/0/0/CPU0:R3(config-if)#ipv4 access-group ISP_ACL_INBOUND in
RP/0/0/CPU0:R3(config-if)#end

If any BGP neighbors belonging to the alternate gateway service provider exist, this is a finding.

Vulnerability Number

V-216757

Documentable

False

Rule Version

CISC-RT-000290

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Step 1: Configure the ingress ACL of the perimeter router connected to an alternate gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider as shown in the example below.

RP/0/0/CPU0:R2(config)#ip access-list ISP_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any any established
RP/0/0/CPU0:R2(config-ipv4-acl)# permit icmp host x.12.1.16 host x.12.1.17 echo
RP/0/0/CPU0:R2(config-ipv4-acl)# permit icmp host x.12.1.16 host x.12.1.17 echo-reply
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any host x.12.1.22 eq www
RP/0/0/CPU0:R2(config-ipv4-acl)# permit tcp any host x.12.1.23 eq www
RP/0/0/CPU0:R2(config-ipv4-acl)# permit 50 any host x.12.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)# permit 51 any host x.12.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)# deny ip any any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#end

Step 2: Apply the ACL inbound on the ISP-facing interface.

RP/0/0/CPU0:R3(config)#int g0/0/0/2
RP/0/0/CPU0:R3(config-if)#ipv4 access-group ISP_ACL_INBOUND in
RP/0/0/CPU0:R3(config-if)#end

If any BGP neighbors belonging to the alternate gateway service provider exist, this is a finding.

Check Content Reference

M

Target Key

4029

Comments