STIGQter STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

DISA Rule

SV-216991r531085_rule

Vulnerability Number

V-216991

Group Title

SRG-NET-000362-RTR-000124

Rule Version

CISC-RT-000470

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure TTL security on all external BGP neighbors as shown in the example below.

R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 ttl-security hops 1
R1(config-router)#neighbor x.2.1.7 ttl-security hops 1

Check Contents

Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below.

router bgp xx
no synchronization
bgp log-neighbor-changes
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 password xxxxxxxx
neighbor x.1.1.9 ttl-security hops 1
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 password xxxxxxxx
neighbor x.2.1.7 ttl-security hops 1

If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Vulnerability Number

V-216991

Documentable

False

Rule Version

CISC-RT-000470

Severity Override Guidance

Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below.

router bgp xx
no synchronization
bgp log-neighbor-changes
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 password xxxxxxxx
neighbor x.1.1.9 ttl-security hops 1
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 password xxxxxxxx
neighbor x.2.1.7 ttl-security hops 1

If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Check Content Reference

M

Target Key

4027

Comments