NET0164 - AG router has a routing protocol to the enclave. - 'Static Router to AG Service Provider'

Information

The IAO/NSO will ensure the premise router does not have a routing protocol session with a peer router belonging to an AS (Autonomous System) of the AG service provider. A static route is the only acceptable route to an AG.

The premise router will not use a routing protocol to advertise NIPRNet addresses to the AG. Most ISPs use Border Gateway Protocol (BGP) to share route information with other autonomous systems (AS), that is, any network under a different administrative control and policy than that of the local site. If BGP is configured on the premise router, no BGP neighbors will be defined as peer routers from an AS belonging to any AG. The only method to be used to reach the AG will be through a static route.

NOTE: Change 'AG_GATEWAY_IP' to the interface address that connects to the AG service provider.

Solution

The only method to be used to reach the AG will be through a static route.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|I, Rule-ID|SV-4623r2_rule, STIG-ID|NET0164, Vuln-ID|V-4623

Plugin: Cisco

Control ID: 9a5af034f01b501e39933a9f17ae31b0986e38fccfafe2df0769965d546e3066