Check: CISC-RT-000290
Cisco IOS XE Router RTR STIG:
CISC-RT-000290
(in versions v2 r9 through v1 r1)
Title
The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider. (Cat I impact)
Discussion
ISPs use BGP to share route information with other autonomous systems (i.e. other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRnet routes could be advertised to the ISP, thereby creating a backdoor connection from the Internet to the NIPRnet.
Check Content
This requirement is not applicable for the DODIN Backbone. Review the router configuration and verify that it is not BGP peering with an alternate gateway service provider. Step 1: Determine the ip address of the ISP router. interface GigabitEthernet0/2 description Link to ISP ip address x.22.1.15 255.255.255.240 Step 2: Verify that the router is not BGP peering with this router. router bgp nn no synchronization bgp log-neighbor-changes neighbor x.11.1.7 remote-as nn neighbor x.11.1.7 password xxxxxxx no auto-summary In the example above, the router is not peering with the ISP. If the router is BGP peering with an alternate gateway service provider, this is a finding.
Fix Text
This requirement is not applicable for the DODIN Backbone. Remove any BGP neighbors belonging to the alternate gateway service provider and configure a static route to forward Internet bound traffic to the alternate gateway as shown in the example below: R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14
Additional Identifiers
Rule ID: SV-216667r531086_rule
Vulnerability ID: V-216667
Group Title: SRG-NET-000019-RTR-000009
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |