DISA STIG Cisco IOS-XR Router RTR v2r1

Audit Details

Name: DISA STIG Cisco IOS-XR Router RTR v2r1

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Cisco

Revision: 1.5

Estimated Item Count: 151

File Details

Filename: DISA_STIG_Cisco_IOS-XR_Router_RTR_v2r1.audit

Size: 556 kB

MD5: f9e7f28de7c05c1c2e95512360fa5d85
SHA256: d169034ade09a36d7b2eaf82b6a6e8ab19a6c892ef29b10ced526c5d5b70d39a

Audit Items

DescriptionCategories
CISC-RT-000010 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies - ip access-group

ACCESS CONTROL

CISC-RT-000010 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies - ip access-list extended

ACCESS CONTROL

CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - BGP

ACCESS CONTROL, CONFIGURATION MANAGEMENT

CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - EIGRP

ACCESS CONTROL, CONFIGURATION MANAGEMENT

CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - IS-IS

ACCESS CONTROL, CONFIGURATION MANAGEMENT

CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - OSPF

ACCESS CONTROL, CONFIGURATION MANAGEMENT

CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - RIP

ACCESS CONTROL, CONFIGURATION MANAGEMENT

CISC-RT-000030 - The Cisco router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

CISC-RT-000040 - The Cisco router must be configured to use encryption for routing protocol authentication - BGP

IDENTIFICATION AND AUTHENTICATION

CISC-RT-000040 - The Cisco router must be configured to use encryption for routing protocol authentication - EIGRP

IDENTIFICATION AND AUTHENTICATION

CISC-RT-000040 - The Cisco router must be configured to use encryption for routing protocol authentication - IS-IS

IDENTIFICATION AND AUTHENTICATION

CISC-RT-000040 - The Cisco router must be configured to use encryption for routing protocol authentication - OSPF

IDENTIFICATION AND AUTHENTICATION

CISC-RT-000040 - The Cisco router must be configured to use encryption for routing protocol authentication - RIP

IDENTIFICATION AND AUTHENTICATION

CISC-RT-000050 - The Cisco router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.

IDENTIFICATION AND AUTHENTICATION

CISC-RT-000060 - The Cisco router must be configured to have all inactive interfaces disabled.

ACCESS CONTROL

CISC-RT-000070 - The Cisco router must be configured to have all non-essential capabilities disabled.

CONFIGURATION MANAGEMENT

CISC-RT-000080 - The Cisco router must not be configured to have any feature enabled that calls home to the vendor.

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000130 - The Cisco router must be configured to restrict traffic destined to itself.

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000140 - The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself - external

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000140 - The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself - internal

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000160 - The Cisco router must be configured to have IP directed broadcast disabled on all interfaces.

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000170 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces - DODIN Backbone

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000170 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000180 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000190 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000200 - The Cisco router must be configured to log all packets that have been dropped at interfaces via ACL.

AUDIT AND ACCOUNTABILITY

CISC-RT-000210 - The Cisco router must be configured to produce audit records containing information to establish where the events occurred.

AUDIT AND ACCOUNTABILITY

CISC-RT-000220 - The Cisco router must be configured to produce audit records containing information to establish the source of the events.

AUDIT AND ACCOUNTABILITY

CISC-RT-000235 - The Cisco router must be configured to have Cisco Express Forwarding enabled - ip

CONFIGURATION MANAGEMENT

CISC-RT-000235 - The Cisco router must be configured to have Cisco Express Forwarding enabled - ipv6

CONFIGURATION MANAGEMENT

CISC-RT-000236 - The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.

CONFIGURATION MANAGEMENT

CISC-RT-000237 - The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.

CONFIGURATION MANAGEMENT

CISC-RT-000240 - The Cisco perimeter router must be configured to deny network traffic by default and allow network traffic by exception - access-group in

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000240 - The Cisco perimeter router must be configured to deny network traffic by default and allow network traffic by exception - deny rule

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000250 - The Cisco perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

ACCESS CONTROL

CISC-RT-000260 - The Cisco perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - access-group in

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 0.0.0.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 10.0.0.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 100.64.0.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 127.0.0.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 169.254.0.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 172.16.0.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.0.0.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.0.2.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.18.0.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.168.0.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 198.51.100.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 203.0.113.0

SYSTEM AND COMMUNICATIONS PROTECTION

CISC-RT-000270 - The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes - deny 224.0.0.0

SYSTEM AND COMMUNICATIONS PROTECTION