Skip to content
Log In

Cisco IOS Router RTR Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.

    Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have b...
    Rule Low Severity
    Show

  • SRG-NET-000364-RTR-000115

    Group
    Show

  • SRG-NET-000362-RTR-000122

    Group
    Show

  • SRG-NET-000362-RTR-000123

    Group
    Show

  • SRG-NET-000364-RTR-000116

    Group
    Show

  • SRG-NET-000343-RTR-000002

    Group
    Show

  • The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.

    MSDP peering with customer network routers presents additional risks to the core, whether from a rogue or misconfigured MSDP-enabled router. MSDP password authentication is used to validate each se...
    Rule Medium Severity
    Show

  • SRG-NET-000018-RTR-000007

    Group
    Show

  • SRG-NET-000018-RTR-000008

    Group
    Show

  • The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.

    To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with privat...
    Rule Low Severity
    Show

  • SRG-NET-000018-RTR-000009

    Group
    Show

  • SRG-NET-000512-RTR-000011

    Group
    Show

  • SRG-NET-000205-RTR-000014

    Group
    Show

  • SRG-NET-000205-RTR-000015

    Group
    Show

  • The Cisco perimeter router must be configured to block all packets with any IP options.

    Packets with IP options are not fast switched and henceforth must be punted to the router processor. Hackers who initiate denial-of-service (DoS) attacks on routers commonly send large streams of p...
    Rule Medium Severity
    Show

  • SRG-NET-000362-RTR-000124

    Group
    Show

  • SRG-NET-000230-RTR-000002

    Group
    Show

  • SRG-NET-000205-RTR-000016

    Group
    Show

  • SRG-NET-000512-RTR-000100

    Group
    Show

  • The Cisco router must be configured to have Cisco Express Forwarding enabled.

    The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build ...
    Rule Medium Severity
    Show

  • SRG-NET-000512-RTR-000012

    Group
    Show

  • SRG-NET-000512-RTR-000013

    Group
    Show

  • The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.

    As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-lo...
    Rule Medium Severity
    Show

  • SRG-NET-000512-RTR-000014

    Group
    Show

  • The Cisco perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.

    Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. To mitigate these vulnerabilities, links that have no hosts connected such as the ...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000200

    Group
    Show

  • The Cisco perimeter router must be configured to drop IPv6 undetermined transport packets.

    One of the fragmentation weaknesses known in IPv6 is the undetermined transport packet. This packet contains an undetermined protocol due to fragmentation. Depending on the length of the IPv6 exten...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000201

    Group
    Show

  • SRG-NET-000364-RTR-000202

    Group
    Show

  • The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.

    These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000203

    Group
    Show

  • SRG-NET-000364-RTR-000204

    Group
    Show

  • The Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.

    The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize, and hence coul...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000205

    Group
    Show

  • The Cisco perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.

    The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize, and hence coul...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000206

    Group
    Show

  • The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.

    The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize, and hence coul...
    Rule Medium Severity
    Show

  • The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.

    Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so i...
    Rule Medium Severity
    Show

  • The Cisco router must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.

    A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to l...
    Rule Medium Severity
    Show

  • The Cisco router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.

    Network devices that are configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (...
    Rule Medium Severity
    Show

  • The Cisco router must be configured to have IP directed broadcast disabled on all interfaces.

    An IP directed broadcast is a datagram sent to the broadcast address of a subnet that is not directly attached to the sending machine. The directed broadcast is routed through the network as a unic...
    Rule Low Severity
    Show

  • The Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.

    The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messag...
    Rule Medium Severity
    Show

  • The Cisco router must be configured to produce audit records containing information to establish where the events occurred.

    Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment ...
    Rule Medium Severity
    Show

  • The Cisco router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.

    The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Addit...
    Rule Low Severity
    Show

  • The Cisco perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

    Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduc...
    Rule Medium Severity
    Show

  • The Cisco perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.

    Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth a...
    Rule Medium Severity
    Show

  • The Cisco perimeter router must be configured to protect an enclave connected to an approved gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.

    Enclaves with approved gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Without verifying the destination address of traffic coming...
    Rule High Severity
    Show

  • The Cisco perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.

    Vulnerability assessments must be reviewed by the System Administrator, and protocols must be approved by the Information Assurance (IA) staff before entering the enclave. Access control lists (AC...
    Rule Medium Severity
    Show

  • The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.

    Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of acce...
    Rule Medium Severity
    Show

  • The Cisco perimeter router must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.

    CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media- and protocol-independent as it runs over ...
    Rule Low Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules