The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an approved gateway service provider.

An XCCDF Rule

Details
Profiles

Description

ISPs use BGP to share route information with other autonomous systems (i.e., other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRNet routes could be advertised to the ISP, thereby creating a backdoor connection from the internet to the NIPRNet.

ID: SV-216577r1050875_rule
Version: CISC-RT-000290
Severity: High
References: CCI-001414
Updated: about 2 months ago

Remediation Templates

This requirement is not applicable for the DODIN backbone.

Remove any BGP neighbors belonging to the approved gateway service provider and configure a static route to forward internet-bound traffic to the approved gateway as shown in the example below.

R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14

The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an approved gateway service provider.

Description

Remediation Templates

A Manual Procedure