NET0162 - AG ingress ACL is not configured to secure enclave - 'Permit AG ACL'

Information

The IAO/NSO will ensure premise router interfaces that connect to an AG (i.e., ISP) are configured with an ingress ACL that only permits packets with destination addresses within the site's address space.

Any enclave with one or more AG connections will have to take additional steps to ensure that neither their network nor the NIPRNet is compromised. Without verifying the destination address of traffic coming from the site's AG, the premise router could be routing transit data from the Internet into the NIPRNet. This could also make the premise router vulnerable to a DoS attack as well as provide a backdoor into the NIPRNet. The DoD enclave must ensure that the premise router's ingress packet filter for any interface connected to an AG is configured to only permit packets with a destination address belonging to the DoD enclave's address block.

NOTE: Change 'AG_INGRESS_ACL_1' to the standard access list number for your organization.
NOTE: Change 'AG_IP_AND_NETMASK' to the approved AG IP and wilcard mask for your organization.

Solution

Insure the ingress ACL for any interface connected to an AAG is configured to only permit packets with a destination address belonging to the sites address block.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|I, Rule-ID|SV-4622r2_rule, STIG-ID|NET0162, Vuln-ID|V-4622

Plugin: Cisco

Control ID: 0e02fb49ac5adfc80cbfaa62e53a99b1439ca170c536effca3e248060366680e