STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.

DISA Rule

SV-216801r531087_rule

Vulnerability Number

V-216801

Group Title

SRG-NET-000205-RTR-000007

Rule Version

CISC-RT-000730

Severity

CAT I

CCI(s)

• CCI-001097 - The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Weight

10

Fix Recommendation

Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.

Step 1: Configure an ingress ACL to discard and log packets destined to the IP core address space.

RP/0/0/CPU0:R3(config)#Ipv4 access-list BLOCK_TO_CORE
RP/0/0/CPU0:R3(config-ipv4-acl)#deny tcp any any eq tacacs log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#deny ipv4 any 10.1.x.0 0.0.255.255 log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#end

Step 2: Apply the ACL inbound to all external or CE-facing interfaces.

RP/0/0/CPU0:R3(config)#int g1/1/0/0
RP/0/0/CPU0:R3(config-if)#ipv4 access-group BLOCK_TO_CORE in
RP/0/0/CPU0:R3(config-if)#end

Check Contents

Step 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces.

interface GigabitEthernet1/1/0/0
ipv4 address x.1.12.2 255.255.255.252
ipv4 access-group BLOCK_TO_CORE ingress

Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space.

Ipv4 access-list BLOCK_TO_CORE
10 deny ipv4 any 10.1.x.0 0.0.255.255 log-input
20 permit ipv4 any any
!

If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent neighbors.

Vulnerability Number

V-216801

Documentable

False

Rule Version

CISC-RT-000730

Severity Override Guidance

Step 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces.

interface GigabitEthernet1/1/0/0
ipv4 address x.1.12.2 255.255.255.252
ipv4 access-group BLOCK_TO_CORE ingress

Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space.

Ipv4 access-list BLOCK_TO_CORE
10 deny ipv4 any 10.1.x.0 0.0.255.255 log-input
20 permit ipv4 any any
!

If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent neighbors.

Check Content Reference

M

Target Key

4029

Comments