Free DISA STIG and SRG Library | Vaulted

V-74095

The Cisco ISRIOS 4000XE Series router must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

Finding ID
CISR-RT-000001
Rule ID
SV-88769r1_rule88769r2_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-NET-000019-RTR-000002
CCI
CCI-001414
Target Key
(None)
Documentable
No
Discussion

Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduce any unacceptable risk to the network infrastructure or data. An example of a flow control restriction is blocking outside traffic claiming to be from within the organization. For most routers, internal information flow control is a product of system design.

Fix Text

Configure the Cisco ISRIOS 4000XE Series router to block all inbound packets with a source IP address belonging to the private network. The configuration would look similar to the example below: interface FastEthernet 0/0 description NIPRNet link ip address x.x.x.x 255.255.255.0 ip access-group INGRESS_ACL in ... ip access-list extended INGRESS_ACL deny ip 1.1.1.0 0.0.0.255 any log ...

Check Content

Review the Cisco ISRIOS 4000XE Series router configuration. andVerify verify that the external interface blocks inbound traffic with a source IP address belonging to the internal network. The configuration should look similar to the example below where the private IP address space is 1.1.1.0/24: interface FastEthernet 0/0 description NIPRNet link ip address x.x.x.x 255.255.255.0 ip access-group INGRESS_ACL in ... ip access-list extended INGRESS_ACL deny ip 1.1.1.0 0.0.0.255 any log ... If the external interface of the Cisco ISRIOS 4000XE Series router has not been configured to block all inbound packets with a source IP address belonging to the private network, this is a finding.