STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.

DISA Rule

SV-221001r622190_rule

Vulnerability Number

V-221001

Group Title

SRG-NET-000362-RTR-000114

Rule Version

CISC-RT-000180

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Disable ip mask-reply on all external interfaces as shown below:

SW1(config)#int g0/1
SW1(config-if)#no ip mask-reply

Check Contents

Review the switch configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below:

interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
ip mask-reply

If the ip mask-reply command is configured on any external interface, this is a finding.

Vulnerability Number

V-221001

Documentable

False

Rule Version

CISC-RT-000180

Severity Override Guidance

Review the switch configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below:

interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
ip mask-reply

If the ip mask-reply command is configured on any external interface, this is a finding.

Check Content Reference

M

Target Key

4074

Comments