STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco perimeter switch must be configured to block all packets with any IP options.

DISA Rule

SV-220472r622190_rule

Vulnerability Number

V-220472

Group Title

SRG-NET-000205-RTR-000015

Rule Version

CISC-RT-000350

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Configure the switch to drop all packets with IP options.

SW1(config)#ip access-list extended EXTERNAL_ACL
SW1(config-ext-nacl)#15 deny ip any any option any-options

Check Contents

Review the switch configuration to determine if it will block all packets with IP options.

ip access-list extended EXTERNAL_ACL
permit tcp any any established
deny ip any any option any-options
permit …
…
…
…
deny ip any any log-input

If the switch is not configured to drop all packets with IP options, this is a finding.

Vulnerability Number

V-220472

Documentable

False

Rule Version

CISC-RT-000350

Severity Override Guidance

Review the switch configuration to determine if it will block all packets with IP options.

ip access-list extended EXTERNAL_ACL
permit tcp any any established
deny ip any any option any-options
permit …
…
…
…
deny ip any any log-input

If the switch is not configured to drop all packets with IP options, this is a finding.

Check Content Reference

M

Target Key

4065

Comments