Cisco IOS Switch RTR Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception.
A deny-all, permit-by-exception network communications traffic policy ensures that only connections that are essential and approved are allowed. This requirement applies to both inbound and outbo...Rule High Severity -
The Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.
Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth a...Rule Medium Severity -
The Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.
Vulnerability assessments must be reviewed by the System Administrator, and protocols must be approved by the Information Assurance (IA) staff before entering the enclave. Access control lists (A...Rule Medium Severity -
The Cisco perimeter switch must be configured to filter ingress traffic at the external interface on an inbound direction.
Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of switches makes use of acc...Rule Medium Severity -
The Cisco perimeter switch must be configured to filter egress traffic at the internal interface on an inbound direction.
Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of switches makes use of acc...Rule Medium Severity -
The Cisco perimeter switch must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.
LLDP is a neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. LLDP is media-and-protocol-independent as it runs over Layer 2; therefor...Rule Low Severity -
The Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces.
When Proxy ARP is enabled on a switch, it allows that switch to extend the network (at Layer 2) across multiple interfaces (LAN segments). Because proxy ARP allows hosts from different LAN segments...Rule Medium Severity -
The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.
The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the man...Rule Medium Severity -
The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure.
IP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from any attack is vital for the integrity and privacy of customer traffic as w...Rule High Severity -
The Cisco PE switch must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.
The uRPF feature is a defense against spoofing and denial-of-service (DoS) attacks by verifying if the source address of any ingress packet is reachable. To mitigate attacks that rely on forged sou...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.