Check: CISR-RT-000001
Cisco ISR 4000 Series RTR STIG:
CISR-RT-000001
(in version v1 r1)
Title
The Cisco ISR 4000 Series router must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. (Cat II impact)
Discussion
Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduce any unacceptable risk to the network infrastructure or data. An example of a flow control restriction is blocking outside traffic claiming to be from within the organization. For most routers, internal information flow control is a product of system design.
Check Content
Review the Cisco ISR 4000 Series router configuration and verify that the external interface blocks inbound traffic with a source IP address belonging to the internal network. The configuration should look similar to the example below where the private IP address space is 1.1.1.0/24: interface FastEthernet 0/0 description NIPRNet link ip address x.x.x.x 255.255.255.0 ip access-group INGRESS_ACL in ... ip access-list extended INGRESS_ACL deny ip 1.1.1.0 0.0.0.255 any log ... If the external interface of the Cisco ISR 4000 Series router has not been configured to block all inbound packets with a source IP address belonging to the private network, this is a finding.
Fix Text
Configure the Cisco ISR 4000 Series router to block all inbound packets with a source IP address belonging to the private network. The configuration would look similar to the example below: interface FastEthernet 0/0 description NIPRNet link ip address x.x.x.x 255.255.255.0 ip access-group INGRESS_ACL in ... ip access-list extended INGRESS_ACL deny ip 1.1.1.0 0.0.0.255 any log ...
Additional Identifiers
Rule ID:
Vulnerability ID: V-74095
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |