Check: CISC-RT-000470
Cisco NX OS Switch RTR STIG:
CISC-RT-000470
(in versions v2 r3 through v1 r1)
Title
The Cisco BGP switch must be configured to check whether a single-hop eBGP peer is directly connected. (Cat III impact)
Discussion
As described in RFC 3682, GTSM is designed to protect a switch's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking switches. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent switches; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.
Check Content
Review the BGP configuration to verify that checking whether a single-hop eBGP peer is directly connected. The example below disables this mechanism. router bgp xx router-id 10.1.1.1 neighbor x.1.12.2 remote-as xx disable-connected-check address-family ipv4 unicast Note: BGP triggers a connection check automatically for all eBGP peers that are known to be a single hop away, unless this check is disabled with the disable-connected-check command. BGP does not bring up sessions if the check fails. If the switch is configured to disable checking whether a single-hop eBGP peer is directly connected, this is a finding.
Fix Text
Remove the command that disables checking whether a single-hop eBGP peer is directly connected for all external BGP neighbors as shown in the example below: SW1(config)# router bgp xx SW1(config-router)# neighbor x.1.12.2 SW1(config-router-neighbor)# no disable-connected-check SW1(config-router-neighbor)# end
Additional Identifiers
Rule ID: SV-221101r856661_rule
Vulnerability ID: V-221101
Group Title: SRG-NET-000362-RTR-000124
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |