Cisco IOS Router RTR STIG Version Comparison

There are 9 differences between versions v3 r2 (Oct. 24, 2024) (the "left" version) and v3 r4 (Oct. 1, 2025) (the "right" version).

Check CISC-RT-000280 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Cisco perimeter router must be configured to protect an enclave connected to an alternate approved gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.

Check Content

This requirement is not applicable for the DODIN Backbone. Step backbone. Step 1: Verify the interface connecting to ISP has an inbound ACL as shown in the example below. interface GigabitEthernet0/2 description Link to ISP ip address x.22.1.15 255.255.255.240 ip access-group FILTER_ISP in Step 2: Verify that the ACL only allows traffic to specific destination addresses (i.e. (i.e., enclave’s NIPRNet address space) as shown in the example below. ip access-list extended FILTER_ISP permit tcp any any established permit icmp host x.12.1.16 host x.12.1.17 echo permit icmp host x.12.1.16 host x.12.1.17 echo-reply permit tcp any host x.12.1.22 eq www permit tcp any host x.12.1.23 eq www permit 50 any host x.12.1.24 permit 51 any host x.12.1.24 deny ip any any log-input Note: An Approved approved Gateway gateway (AG) is any external connection from a DoD DOD NIPRNet enclave to an Internet internet Service service Provider, provider, or network owned by a contractor, or non-DoD non-DOD federal agency that has been approved by either the DoD DOD CIO or the DoD DOD Component CIO. This AG approved gateway requirement does not apply to commercial cloud connections when the Cloud cloud Service service Provider provider (CSP) network is connected via the NIPRNet Boundary Cloud Access Point (BCAP). If (BCAP). If the ingress ACL bound to the interface connecting to an alternate approved gateway permits packets with addresses other than those specified, such as destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate approved gateway network service provider, this is a finding.

Discussion

Enclaves with alternate approved gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Without verifying the destination address of traffic coming from the site's alternate approved gateway, the perimeter router could be routing transit data from the Internet internet into the NIPRNet. This could also make the perimeter router vulnerable to a denial-of-service (DoS) attack and as well as provide a back door into the NIPRNet. The DoD DOD enclave must ensure the ingress filter applied to external interfaces on a perimeter router connecting to an Approved approved Gateway gateway is secure through filters permitting packets with a destination address belonging to the DoD DOD enclave's address block.

Fix

This requirement is not applicable for the DODIN Backbone. Configure backbone. Configure the ingress ACL of the perimeter router connected to an alternate approved gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate approved gateway network service provider as shown in the example below. R5(config)#ip access-list extended FILTER_ISP R5(config-ext-nacl)#permit tcp any any established R5(config-ext-nacl)#permit icmp host x.12.1.16 host x.12.1.17 echo R5(config-ext-nacl)#permit icmp host x.12.1.16 host x.12.1.17 echo-reply R5(config-ext-nacl)#permit tcp any host x.12.1.22 eq www R5(config-ext-nacl)#permit tcp any host x.12.1.23 eq www R5(config-ext-nacl)#permit 50 any host x.12.1.24 R5(config-ext-nacl)#permit 51 any host x.12.1.24 R5(config-ext-nacl)#deny ip any any log-input R5(config-ext-nacl)#end