CISC-RT-000290 - The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.

Information

ISPs use BGP to share route information with other autonomous systems (i.e. other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRnet routes could be advertised to the ISP, thereby creating a backdoor connection from the Internet to the NIPRnet.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This requirement is not applicable for the DODIN Backbone.

Remove any BGP neighbors belonging to the alternate gateway service provider and configure a static route to forward Internet bound traffic to the alternate gateway as shown in the example below:

R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Router_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|I, CCI|CCI-001414, Rule-ID|SV-216667r531086_rule, STIG-ID|CISC-RT-000290, STIG-Legacy|SV-106045, STIG-Legacy|V-96907, Vuln-ID|V-216667

Plugin: Cisco

Control ID: 3fc1151ecf111291f09bc031999ab56eccc59b7e89ef8430b75cdc0058d8b45c