STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated switch (DR) for any undesirable multicast groups and sources.

DISA Rule

SV-221057r622190_rule

Vulnerability Number

V-221057

Group Title

SRG-NET-000019-RTR-000013

Rule Version

CISC-RT-000830

Severity

CAT III

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the switch to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources x.1.2.6 and x.1.2.7.

SW2(config)#ip access-list extended PIM_REGISTER_FILTER
SW2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255
SW2(config-ext-nacl)#permit ip host x.1.2.6 any
SW2(config-ext-nacl)#permit ip host x.1.2.7 any
SW2(config-ext-nacl)#deny ip any any
SW2(config-ext-nacl)#exit
SW2(config)#ip pim accept-register list PIM_REGISTER_FILTER
SW2(config)#end

Check Contents

Verify that the RP is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources x.1.2.6 and x.1.2.7.

ip pim rp-address 10.1.12.3
ip pim accept-register list PIM_REGISTER_FILTER
…
…
…
ip access-list extended PIM_REGISTER_FILTER
deny ip any 239.5.0.0 0.0.255.255
permit ip host x.1.2.6 any
permit ip host x.1.2.7 any
deny ip any any

If the RP switch peering with PIM-SM switches is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.

Vulnerability Number

V-221057

Documentable

False

Rule Version

CISC-RT-000830

Severity Override Guidance

Verify that the RP is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources x.1.2.6 and x.1.2.7.

ip pim rp-address 10.1.12.3
ip pim accept-register list PIM_REGISTER_FILTER
…
…
…
ip access-list extended PIM_REGISTER_FILTER
deny ip any 239.5.0.0 0.0.255.255
permit ip host x.1.2.6 any
permit ip host x.1.2.7 any
deny ip any any

If the RP switch peering with PIM-SM switches is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.

Check Content Reference

M

Target Key

4074

Comments