CISC-RT-000280 - The Cisco perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Enclaves with alternate gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Without verifying the destination address of traffic coming from the site's alternate gateway, the perimeter router could be routing transit data from the Internet into the NIPRNet. This could also make the perimeter router vulnerable to a denial-of-service (DoS) attack as well as provide a back door into the NIPRNet. The DoD enclave must ensure the ingress filter applied to external interfaces on a perimeter router connecting to an Approved Gateway is secure through filters permitting packets with a destination address belonging to the DoD enclave's address block.

Solution

This requirement is not applicable for the DODIN Backbone.

Step 1: Configure the ingress ACL of the perimeter router connected to an alternate gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider as shown in the example below.

RP/0/0/CPU0:R2(config)#ip access-list ISP_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp any any established
RP/0/0/CPU0:R2(config-ipv4-acl)#permit icmp host x.12.1.16 host x.12.1.17 echo
RP/0/0/CPU0:R2(config-ipv4-acl)#permit icmp host x.12.1.16 host x.12.1.17 echo-reply
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp any host x.12.1.22 eq www
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp any host x.12.1.23 eq www
RP/0/0/CPU0:R2(config-ipv4-acl)#permit 50 any host x.12.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)#permit 51 any host x.12.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip any any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#end

Step 2: Apply the ACL inbound on the ISP-facing interface.

RP/0/0/CPU0:R3(config)#int g0/0/0/2
RP/0/0/CPU0:R3(config-if)#ipv4 access-group ISP_ACL_INBOUND in
RP/0/0/CPU0:R3(config-if)#end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y24M07_STIG.zip

Item Details

References: CAT|I, CCI|CCI-001414, Rule-ID|SV-216756r531087_rule, STIG-ID|CISC-RT-000280, STIG-Legacy|SV-105857, STIG-Legacy|V-96719, Vuln-ID|V-216756

Plugin: Cisco

Control ID: 0657b682fa942c3f7fcb0408710a5d9ab178e221a25c31cdc9459a7d52e1c429