STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.

DISA Rule

SV-216760r531087_rule

Vulnerability Number

V-216760

Group Title

SRG-NET-000205-RTR-000003

Rule Version

CISC-RT-000320

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure the router to use an inbound ACL on all external interfaces as shown in the example below to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1.

RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp
RP/0/0/CPU0:R3(config-ipv4-acl)#permit icmp host x.11.1.1 host x.11.1.2 echo
RP/0/0/CPU0:R3(config-ipv4-acl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply
RP/0/0/CPU0:R3(config-ipv4-acl)#deny ip any host x.11.1.1 log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp any host x.12.1.22 eq www
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp any any established

… < must be in accordance with DoD Instruction 8551.1>

RP/0/0/CPU0:R3(config-ipv4-acl)#deny ip any any log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#exit

Step 2: Apply the ACL inbound on all applicable interfaces.

RP/0/0/CPU0:R3(config)#int g0/0/0/1
RP/0/0/CPU0:R3(config-if)#ipv4 access-group EXTERNAL_ACL_INBOUND in
RP/0/0/CPU0:R3(config-if)#end

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to verify that the ingress ACL is in accordance with DoD 8551.1.

Step 1: Verify that an inbound ACL is configured on all external interfaces.

interface GigabitEthernet0/0/0/1
ipv4 address x.11.1.2 255.255.255.252
ipv4 access-group EXTERNAL_ACL_INBOUND ingress

Step 2. Review the inbound ACL to verify that it is filtering traffic in accordance with DoD 8551.1.

ipv4 access-list EXTERNAL_ACL_INBOUND
10 permit tcp host x.11.1.1 eq bgp host x.11.1.2
20 permit tcp host x.11.1.1 host x.11.1.2 eq bgp
30 permit icmp host x.11.1.1 host x.11.1.2 echo
40 permit icmp host x.11.1.1 host x.11.1.2 echo-reply
50 deny ipv4 any host x.11.1.1 log
60 permit tcp any host x.12.1.22 eq www
70 permit tcp any any established

… < must be in accordance with DoD Instruction 8551.1>

160 deny ipv4 any any log-input

If the router does not filter traffic in accordance with the guidelines contained in DoD 8551.1, this is a finding.

Vulnerability Number

V-216760

Documentable

False

Rule Version

CISC-RT-000320

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to verify that the ingress ACL is in accordance with DoD 8551.1.

Step 1: Verify that an inbound ACL is configured on all external interfaces.

interface GigabitEthernet0/0/0/1
ipv4 address x.11.1.2 255.255.255.252
ipv4 access-group EXTERNAL_ACL_INBOUND ingress

Step 2. Review the inbound ACL to verify that it is filtering traffic in accordance with DoD 8551.1.

ipv4 access-list EXTERNAL_ACL_INBOUND
10 permit tcp host x.11.1.1 eq bgp host x.11.1.2
20 permit tcp host x.11.1.1 host x.11.1.2 eq bgp
30 permit icmp host x.11.1.1 host x.11.1.2 echo
40 permit icmp host x.11.1.1 host x.11.1.2 echo-reply
50 deny ipv4 any host x.11.1.1 log
60 permit tcp any host x.12.1.22 eq www
70 permit tcp any any established

… < must be in accordance with DoD Instruction 8551.1>

160 deny ipv4 any any log-input

If the router does not filter traffic in accordance with the guidelines contained in DoD 8551.1, this is a finding.

Check Content Reference

M

Target Key

4029

Comments