Cisco IOS XE Switch RTR Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-NET-000205-RTR-000016
Group -
SRG-NET-000018-RTR-000008
Group -
SRG-NET-000193-RTR-000113
Group -
SRG-NET-000193-RTR-000114
Group -
SRG-NET-000193-RTR-000112
Group -
The Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective o...Rule Medium Severity -
SRG-NET-000019-RTR-000003
Group -
The Cisco multicast switch must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multic...Rule Medium Severity -
SRG-NET-000019-RTR-000004
Group -
SRG-NET-000019-RTR-000005
Group -
The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic.
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are loc...Rule Low Severity -
SRG-NET-000362-RTR-000120
Group -
The Cisco multicast Rendezvous Point (RP) switch must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP switches to peer with MSDP switches. ...Rule Low Severity -
SRG-NET-000019-RTR-000013
Group -
SRG-NET-000019-RTR-000014
Group -
The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Cisco switch (DR) for any undesirable multicast groups.
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial...Rule Low Severity -
SRG-NET-000362-RTR-000121
Group -
SRG-NET-000364-RTR-000114
Group -
SRG-NET-000364-RTR-000115
Group -
SRG-NET-000362-RTR-000122
Group -
SRG-NET-000362-RTR-000123
Group -
SRG-NET-000364-RTR-000116
Group -
SRG-NET-000343-RTR-000002
Group -
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to authenticate all received MSDP packets.
MSDP peering with customer network switches presents additional risks to the core, whether from a rogue or misconfigured MSDP-enabled switch. MSDP password authentication is used to validate each s...Rule Medium Severity -
SRG-NET-000018-RTR-000007
Group -
SRG-NET-000018-RTR-000009
Group -
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to limit the amount of source-active messages it accepts on a per-peer basis.
To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP switch, the switch must be configured to limit the number of source-active messages it accepts from each peer.Rule Low Severity -
SRG-NET-000512-RTR-000011
Group -
SRG-NET-000512-RTR-000100
Group -
SRG-NET-000512-RTR-000012
Group -
SRG-NET-000512-RTR-000013
Group -
SRG-NET-000512-RTR-000014
Group -
SRG-NET-000364-RTR-000200
Group -
SRG-NET-000364-RTR-000201
Group -
SRG-NET-000364-RTR-000202
Group -
The Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.
These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not...Rule Medium Severity -
SRG-NET-000364-RTR-000203
Group -
SRG-NET-000364-RTR-000204
Group -
The Cisco perimeter switch must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.
The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize, and hence coul...Rule Medium Severity -
SRG-NET-000364-RTR-000205
Group -
The Cisco perimeter switch must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.
The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize, and hence coul...Rule Medium Severity -
SRG-NET-000364-RTR-000206
Group -
The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so i...Rule Medium Severity -
The Cisco switch must be configured to have all inactive layer 3 interfaces disabled.
An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. Unauthorized personnel with access to the communication facility could ga...Rule Low Severity -
The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental...Rule High Severity -
The Cisco switch must be configured to have IP directed broadcast disabled on all interfaces.
An IP directed broadcast is a datagram sent to the broadcast address of a subnet that is not directly attached to the sending machine. The directed broadcast is routed through the network as a unic...Rule Low Severity -
The Cisco switch must be configured to log all packets that have been dropped at interfaces via an ACL.
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate ...Rule Low Severity -
The Cisco switch must be configured to produce audit records containing information to establish where the events occurred.
Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment ...Rule Medium Severity -
The Cisco switch must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Addit...Rule Low Severity -
The Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.
Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth a...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.