STIGQter STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to log all packets that have been dropped at interfaces via an ACL.

DISA Rule

SV-221003r622190_rule

Vulnerability Number

V-221003

Group Title

SRG-NET-000078-RTR-000001

Rule Version

CISC-RT-000200

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure ACLs to log packets that are dropped as shown in the example below:

SW1(config)#ip access-list extended INGRESS_FILTER



SW1(config-ext-nacl)#deny ip any any log

Check Contents

Review all ACLs used to filter traffic and verify that packets being dropped at interfaces via an ACL are logged as shown in the configuration below:

ip access-list extended INGRESS_FILTER
permit tcp any any established
permit tcp host x.11.1.1 eq bgp host x.11.1.2
permit tcp host x.11.1.1 host x.11.1.2 eq bgp
permit tcp any host x.11.1.5 eq www
permit icmp host x.11.1.1 host x.11.1.2 echo
permit icmp any any echo-reply



deny ip any any log

If packets being dropped are not logged, this is a finding.

Vulnerability Number

V-221003

Documentable

False

Rule Version

CISC-RT-000200

Severity Override Guidance

Review all ACLs used to filter traffic and verify that packets being dropped at interfaces via an ACL are logged as shown in the configuration below:

ip access-list extended INGRESS_FILTER
permit tcp any any established
permit tcp host x.11.1.1 eq bgp host x.11.1.2
permit tcp host x.11.1.1 host x.11.1.2 eq bgp
permit tcp any host x.11.1.5 eq www
permit icmp host x.11.1.1 host x.11.1.2 echo
permit icmp any any echo-reply



deny ip any any log

If packets being dropped are not logged, this is a finding.

Check Content Reference

M

Target Key

4074

Comments