The Cisco ISR 4000 Series router must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-74095	CISR-RT-000001	SV-88769r1_rule		Medium

Description
Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduce any unacceptable risk to the network infrastructure or data. An example of a flow control restriction is blocking outside traffic claiming to be from within the organization. For most routers, internal information flow control is a product of system design.

Description

Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduce any unacceptable risk to the network infrastructure or data. An example of a flow control restriction is blocking outside traffic claiming to be from within the organization. For most routers, internal information flow control is a product of system design.

STIG	Date
Cisco IOS XE Release 3 RTR Security Technical Implementation Guide	2017-06-28

Details

Check Text ( C-74181r1_chk )
Review the Cisco ISR 4000 Series router configuration and verify that the external interface blocks inbound traffic with a source IP address belonging to the internal network. The configuration should look similar to the example below where the private IP address space is 1.1.1.0/24: interface FastEthernet 0/0 description NIPRNet link ip address x.x.x.x 255.255.255.0 ip access-group INGRESS_ACL in ... ip access-list extended INGRESS_ACL deny ip 1.1.1.0 0.0.0.255 any log ... If the external interface of the Cisco ISR 4000 Series router has not been configured to block all inbound packets with a source IP address belonging to the private network, this is a finding.

Check Text ( C-74181r1_chk )

Review the Cisco ISR 4000 Series router configuration and verify that the external interface blocks inbound traffic with a source IP address belonging to the internal network. The configuration should look similar to the example below where the private IP address space is 1.1.1.0/24:

interface FastEthernet 0/0
description NIPRNet link
ip address x.x.x.x 255.255.255.0
ip access-group INGRESS_ACL in
...

ip access-list extended INGRESS_ACL
deny ip 1.1.1.0 0.0.0.255 any log
...

If the external interface of the Cisco ISR 4000 Series router has not been configured to block all inbound packets with a source IP address belonging to the private network, this is a finding.

Fix Text (F-80637r1_fix)
Configure the Cisco ISR 4000 Series router to block all inbound packets with a source IP address belonging to the private network. The configuration would look similar to the example below: interface FastEthernet 0/0 description NIPRNet link ip address x.x.x.x 255.255.255.0 ip access-group INGRESS_ACL in ... ip access-list extended INGRESS_ACL deny ip 1.1.1.0 0.0.0.255 any log ...