STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

DISA Rule

SV-221073r622190_rule

Vulnerability Number

V-221073

Group Title

SRG-NET-000230-RTR-000003

Rule Version

CISC-RT-000030

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002205 - The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer.

Weight

10

Fix Recommendation

Configure each key used for routing protocol authentication to have a lifetime of no more than 180 days as shown in the example below:

SW1(config)# key chain OSPF_KEY
SW1(config-keychain)# key 1
SW1(config-keychain-key)# key-string xxxxxxxxxxxx
SW1(config-keychain-key)# send-lifetime 00:00:00 Oct 1 2019 23:59:59 Dec 31 2019
SW1(config-keychain-key)# accept-lifetime 00:00:00 Oct 1 2019 01:05:00 Jan 1 2020
SW1(config-keychain-key)# key 2
SW1(config-keychain-key)# key-string kxxxxxxxxxxxxx
SW1(config-keychain-key)# send-lifetime 00:00:00 Jan 1 2020 23:59:59 Mar 31 2020
SW1(config-keychain-key)# accept-lifetime 23:55:00 Dec 31 2019 01:05:00 Apr 1 2020
SW1(config-keychain-key)# end

Check Contents

Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the example below:

key chain OSPF_KEY
key 1
key-string 7 070d2e4e4c10
accept-lifetime 00:00:00 Oct 01 2019 01:05:00 Jan 01 2020
send-lifetime 00:00:00 Oct 01 2019 23:59:59 Dec 31 2019
key 2
key-string 7 0704205e4b07
accept-lifetime 23:55:00 Dec 31 2019 01:05:00 Apr 01 2020
send-lifetime 00:00:00 Jan 01 2020 23:59:59 Mar 31 2020

Note: Key chains must be configured to authenticate routing protocol messages as it is the only way to set an expiration.

If any key has a lifetime of more than 180 days, this is a finding.

Vulnerability Number

V-221073

Documentable

False

Rule Version

CISC-RT-000030

Severity Override Guidance

Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the example below:

key chain OSPF_KEY
key 1
key-string 7 070d2e4e4c10
accept-lifetime 00:00:00 Oct 01 2019 01:05:00 Jan 01 2020
send-lifetime 00:00:00 Oct 01 2019 23:59:59 Dec 31 2019
key 2
key-string 7 0704205e4b07
accept-lifetime 23:55:00 Dec 31 2019 01:05:00 Apr 01 2020
send-lifetime 00:00:00 Jan 01 2020 23:59:59 Mar 31 2020

Note: Key chains must be configured to authenticate routing protocol messages as it is the only way to set an expiration.

If any key has a lifetime of more than 180 days, this is a finding.

Check Content Reference

M

Target Key

4075

Comments