STIGQter STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco BGP switch must be configured to enable the Generalized TTL Security Mechanism (GTSM).

DISA Rule

SV-221021r622190_rule

Vulnerability Number

V-221021

Group Title

SRG-NET-000362-RTR-000124

Rule Version

CISC-RT-000470

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure TTL security on all external BGP neighbors as shown in the example below:

SW1(config)#router bgp xx
SW1(config-switch)#neighbor x.1.1.9 ttl-security hops 1
SW1(config-switch)#neighbor x.2.1.7 ttl-security hops 1

Check Contents

Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below:

router bgp xx
no synchronization
bgp log-neighbor-changes
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 password xxxxxxxx
neighbor x.1.1.9 ttl-security hops 1
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 password xxxxxxxx
neighbor x.2.1.7 ttl-security hops 1

If the switch is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Vulnerability Number

V-221021

Documentable

False

Rule Version

CISC-RT-000470

Severity Override Guidance

Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below:

router bgp xx
no synchronization
bgp log-neighbor-changes
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 password xxxxxxxx
neighbor x.1.1.9 ttl-security hops 1
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 password xxxxxxxx
neighbor x.2.1.7 ttl-security hops 1

If the switch is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Check Content Reference

M

Target Key

4074

Comments