STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.

DISA Rule

SV-221089r622190_rule

Vulnerability Number

V-221089

Group Title

SRG-NET-000364-RTR-000109

Rule Version

CISC-RT-000260

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Configure the switch to allow only incoming communications from authorized sources to be routed to authorized destinations.

SW2(config)# ip access-list EXTERNAL_ACL
SW2(config-acl)# permit tcp any any established
…
…
…
SW2(config-acl)# permit udp host x.12.1.9 host x.12.1.21 eq ntp
SW2(config-acl)# deny ip any any log
SW2(config-acl)# end

Check Contents

Review the switch configuration to determine if the switch allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21.

ip access-list EXTERNAL_ACL
10 permit tcp any any established
20 permit tcp x.11.1.1/32 eq bgp x.11.1.2/32
30 permit tcp x.11.1.1/32 x.11.1.2/32 eq bgp
40 permit icmp x.11.1.1/32 x.11.1.2/32 echo
50 permit icmp x.11.1.1/32 x.11.1.2/32 echo-reply
60 permit tcp any x.11.2.3/32 eq www
70 permit udp x.12.1.9/32 x.12.1.21/32 eq ntp
…
…
…
90 deny ip any any log

If the switch does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.

Vulnerability Number

V-221089

Documentable

False

Rule Version

CISC-RT-000260

Severity Override Guidance

Review the switch configuration to determine if the switch allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21.

ip access-list EXTERNAL_ACL
10 permit tcp any any established
20 permit tcp x.11.1.1/32 eq bgp x.11.1.2/32
30 permit tcp x.11.1.1/32 x.11.1.2/32 eq bgp
40 permit icmp x.11.1.1/32 x.11.1.2/32 echo
50 permit icmp x.11.1.1/32 x.11.1.2/32 echo-reply
60 permit tcp any x.11.2.3/32 eq www
70 permit udp x.12.1.9/32 x.12.1.21/32 eq ntp
…
…
…
90 deny ip any any log

If the switch does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.

Check Content Reference

M

Target Key

4075

Comments