An error occurred:

Check: RCKS-RTR-000120

RUCKUS ICX Router STIG: RCKS-RTR-000120 (in version v1 r1)

Title

The RUCKUS ICX perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. (Cat II impact)

Discussion

Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduce any unacceptable risk to the network infrastructure or data. An example of a flow control restriction is blocking outside traffic claiming to be from within the organization. For most routers, internal information flow control is a product of system design.

Check Content

Check perimeter router configuration for port connected to DISN for access-list filter to control flow of information between interconnected networks in accordance with applicable policy. In this example, SSL traffic is permitted to a specific internal host: interface ethernet 1/1/10 port-name Link_to_DISN ip address x.12.1.10 255.255.255.0 ip access-group Filter_Perimeter in ! ip access-list extended Filter_Perimeter sequence 10 permit tcp any any established sequence 20 permit tcp host x.12.1.9 host x.12.1.10 eq bgp sequence 30 permit tcp host x.12.1.9 eq bgp host x.12.1.10 sequence 40 permit icmp host x.12.1.9 host x.12.1.10 echo sequence 50 permit icmp host x.12.1.9 host x.12.1.10 echo-reply sequence 60 permit tcp any host x.12.1.22 eq ssl sequence 70 deny ip any any log If the router does not enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy, this is a finding.

Fix Text

Configure the router to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. 1. Configure the access-list. In this example, SSL traffic is permitted to a specific internal host. ip access-list extended Filter_Perimeter sequence 10 permit tcp any any established sequence 20 permit tcp host x.12.1.9 host x.12.1.10 eq bgp sequence 30 permit tcp host x.12.1.9 eq bgp host x.12.1.10 sequence 40 permit icmp host x.12.1.9 host x.12.1.10 echo sequence 50 permit icmp host x.12.1.9 host x.12.1.10 echo-reply sequence 60 permit tcp any host x.12.1.22 eq ssl sequence 70 deny ip any any log 2. Apply access list to external interface. interface ethernet 1/1/10 port-name Link_to_DISN ip address x.12.1.10 255.255.255.0 ip access-group Filter_Perimeter in !

Additional Identifiers

Rule ID: SV-273580r1110910_rule

Vulnerability ID: V-273580

Group Title: SRG-NET-000019-RTR-000002

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001414

Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement