STIGQter STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.

DISA Rule

SV-221075r622190_rule

Vulnerability Number

V-221075

Group Title

SRG-NET-000168-RTR-000078

Rule Version

CISC-RT-000050

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure routing protocol authentication to use a NIST-validated FIPS 198-1 message authentication code algorithm as shown in the example below:

SW1(config)# key chain OSPF_KEY
SW1(config-keychain)# key 1
SW1(config-keychain-key)# key-string xxxxxxxxxxxx
SW1(config-keychain-key)# send-lifetime 00:00:00 Oct 1 2019 23:59:59 Dec 31 2019
SW1(config-keychain-key)# accept-lifetime 00:00:00 Oct 1 2019 01:05:00 Jan 1 2020
SW1(config-keychain-key)# cryptographic-algorithm hmac-sha-256
SW1(config-keychain-key)# key 2
SW1(config-keychain-key)# key-string kxxxxxxxxxxxxx
SW1(config-keychain-key)# send-lifetime 00:00:00 Jan 1 2020 23:59:59 Mar 31 2020
SW1(config-keychain-key)# accept-lifetime 23:55:00 Dec 31 2019 01:05:00 Apr 1 2020
SW1(config-keychain-key)# cryptographic-algorithm hmac-sha-256
SW1(config-keychain-key)# end
SW1(config)# int e2/2
SW2(config-if)# ip ospf authentication key-chain OSPF_KEY

Check Contents

Review the switch configuration to verify it is using a NIST-validated FIPS 198-1 message authentication code algorithm to authenticate routing protocol messages.

OSPF Example

key chain OSPF_KEY
key 1
key-string 7 070d2e4e4c10
accept-lifetime 00:00:00 Oct 01 2019 01:05:00 Jan 01 2020
send-lifetime 00:00:00 Oct 01 2019 23:59:59 Dec 31 2019
cryptographic-algorithm hmac-sha-256
key 2
key-string 7 0704205e4b07
accept-lifetime 23:55:00 Dec 31 2019 01:05:00 Apr 01 2020
send-lifetime 00:00:00 Jan 01 2020 23:59:59 Mar 31 2020
cryptographic-algorithm hmac-sha-256



interface Ethernet2/2
no switchport
ip ospf authentication key-chain OSPF_KEY

Note: BGP, RIP, EIGRP, IS-IS do not support any FIPS 198-1 HMAC algorithms.

If a NIST-validated FIPS 198-1 message authentication code algorithm is not being used to authenticate routing protocol messages, this is a finding.

Vulnerability Number

V-221075

Documentable

False

Rule Version

CISC-RT-000050

Severity Override Guidance

Review the switch configuration to verify it is using a NIST-validated FIPS 198-1 message authentication code algorithm to authenticate routing protocol messages.

OSPF Example

key chain OSPF_KEY
key 1
key-string 7 070d2e4e4c10
accept-lifetime 00:00:00 Oct 01 2019 01:05:00 Jan 01 2020
send-lifetime 00:00:00 Oct 01 2019 23:59:59 Dec 31 2019
cryptographic-algorithm hmac-sha-256
key 2
key-string 7 0704205e4b07
accept-lifetime 23:55:00 Dec 31 2019 01:05:00 Apr 01 2020
send-lifetime 00:00:00 Jan 01 2020 23:59:59 Mar 31 2020
cryptographic-algorithm hmac-sha-256



interface Ethernet2/2
no switchport
ip ospf authentication key-chain OSPF_KEY

Note: BGP, RIP, EIGRP, IS-IS do not support any FIPS 198-1 HMAC algorithms.

If a NIST-validated FIPS 198-1 message authentication code algorithm is not being used to authenticate routing protocol messages, this is a finding.

Check Content Reference

M

Target Key

4075

Comments