Cisco IOS Switch RTR Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-NET-000018-RTR-000001
Group -
SRG-NET-000168-RTR-000078
Group -
SRG-NET-000019-RTR-000007
Group -
SRG-NET-000362-RTR-000109
Group -
The Cisco switch must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
Network devices that are configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (...Rule Medium Severity -
SRG-NET-000362-RTR-000110
Group -
The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental...Rule High Severity -
SRG-NET-000362-RTR-000111
Group -
SRG-NET-000362-RTR-000112
Group -
SRG-NET-000362-RTR-000113
Group -
SRG-NET-000362-RTR-000114
Group -
SRG-NET-000362-RTR-000115
Group -
SRG-NET-000078-RTR-000001
Group -
SRG-NET-000076-RTR-000001
Group -
SRG-NET-000077-RTR-000001
Group -
SRG-NET-000019-RTR-000001
Group -
The Cisco switch must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Addit...Rule Low Severity -
SRG-NET-000202-RTR-000001
Group -
SRG-NET-000019-RTR-000002
Group -
The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduc...Rule Medium Severity -
SRG-NET-000364-RTR-000109
Group -
SRG-NET-000364-RTR-000110
Group -
The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes.
Packets with Bogon IP source addresses should never be allowed to traverse the IP core. Bogon IP networks are RFC1918 addresses or address blocks that have never been assigned by the IANA or have b...Rule Medium Severity -
SRG-NET-000205-RTR-000003
Group -
SRG-NET-000205-RTR-000004
Group -
SRG-NET-000205-RTR-000005
Group -
SRG-NET-000364-RTR-000111
Group -
SRG-NET-000364-RTR-000111
Group -
The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.
CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over L...Rule Low Severity -
SRG-NET-000364-RTR-000112
Group -
SRG-NET-000364-RTR-000113
Group -
The Cisco perimeter switch must be configured to block all outbound management traffic.
For in-band management, the management network must have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes, such as switches and firewalls. Manageme...Rule Medium Severity -
SRG-NET-000205-RTR-000012
Group -
SRG-NET-000343-RTR-000001
Group -
The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.
LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, eac...Rule Medium Severity -
SRG-NET-000205-RTR-000007
Group -
SRG-NET-000205-RTR-000008
Group -
SRG-NET-000193-RTR-000113
Group -
SRG-NET-000193-RTR-000114
Group -
SRG-NET-000193-RTR-000112
Group -
SRG-NET-000019-RTR-000003
Group -
SRG-NET-000019-RTR-000004
Group -
SRG-NET-000019-RTR-000005
Group -
The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic.
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are lo...Rule Low Severity -
SRG-NET-000364-RTR-000114
Group -
The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.
Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have b...Rule Low Severity -
SRG-NET-000364-RTR-000115
Group -
SRG-NET-000362-RTR-000122
Group -
SRG-NET-000362-RTR-000123
Group -
SRG-NET-000205-RTR-000014
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.