Detections
Analytics
CISC-RT-000320 - The Cisco perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.
Information
Vulnerability assessments must be reviewed by the System Administrator, and protocols must be approved by the Information Assurance (IA) staff before entering the enclave.Access control lists (ACLs) are the first line of defense in a layered security approach. They permit authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the network by not allowing packets to reach a potential target within the security domain. The lists provided are highly susceptible ports and services that should be blocked or limited as much as possible without adversely affecting customer requirements. Auditing packets attempting to penetrate the network but that are stopped by an ACL will allow network administrators to broaden their protective ring and more tightly define the scope of operation.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
This requirement is not applicable for the DODIN Backbone.Configure the router to use an inbound ACL on all external interfaces as shown in the example below to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1.
RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp
RP/0/0/CPU0:R3(config-ipv4-acl)#permit icmp host x.11.1.1 host x.11.1.2 echo
RP/0/0/CPU0:R3(config-ipv4-acl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply
RP/0/0/CPU0:R3(config-ipv4-acl)#deny ip any host x.11.1.1 log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp any host x.12.1.22 eq www
RP/0/0/CPU0:R3(config-ipv4-acl)#permit tcp any any established
...
... < must be in accordance with DoD Instruction 8551.1>
...
RP/0/0/CPU0:R3(config-ipv4-acl)#deny ip any any log-input
RP/0/0/CPU0:R3(config-ipv4-acl)#exit
Step 2: Apply the ACL inbound on all applicable interfaces.
RP/0/0/CPU0:R3(config)#int g0/0/0/1
RP/0/0/CPU0:R3(config-if)#ipv4 access-group EXTERNAL_ACL_INBOUND in
RP/0/0/CPU0:R3(config-if)#end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip
Item Details
Audit Name: DISA STIG Cisco IOS-XR Router RTR v3r2
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-7a., CAT|II, CCI|CCI-001097, Rule-ID|SV-216760r1007832_rule, STIG-ID|CISC-RT-000320, STIG-Legacy|SV-105865, STIG-Legacy|V-96727, Vuln-ID|V-216760
Plugin: Cisco
Control ID: 1717c7ad34d46c097e7e59890d73618d9a81b2417bcd5e92626efb16083e22b4