UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Infrastructure Router Security Technical Implementation Guide Cisco



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-3062 High The network element must be configured to ensure passwords are not viewable when displaying configuration information.
V-3012 High The network element must be password protected.
V-3175 High The network devices must require authentication prior to establishing a management connection for administrative access.
V-3210 High The network element must not use the default or well-known SNMP community strings public and private.
V-3196 High The network element must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
V-4582 High The network device must require authentication for console access.
V-15434 High The network element’s emergency account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
V-3056 High Group accounts must not be configured for use on the network device.
V-7009 High The IAO/NSO will ensure the lifetime of a MD5 Key expiration is set to never expire. The lifetime of the MD5 key will be configured as infinite for route authentication, if supported by the current approved router software version. Note: Only Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.
V-3143 High The network element must not have any default manufacturer passwords.
V-3069 Medium Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
V-3021 Medium The network element must only allow SNMP access from addresses belonging to the management network.
V-31285 Medium The network element must authenticate all BGP peers within the same or between autonomous systems (AS).
V-15432 Medium The network element must use two or more authentication servers for the purpose of granting administrative access.
V-3013 Medium The network element must display the DoD approved login banner warning in accordance with the CYBERCOM DTM-08-060 document.
V-5646 Medium The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
V-3014 Medium The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.
V-14669 Medium The administrator must ensure BSD r command services are disabled.
V-28784 Medium A service or feature that calls home to the vendor must be disabled.
V-14693 Medium The network element must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF.
V-30577 Medium The administrator must ensure that Protocol Independent Multicast (PIM) is disabled on all interfaces that are not required to support multicast routing.
V-14671 Medium The network element must authenticate all NTP messages received from NTP servers and peers.
V-17835 Medium Traffic entering the tunnels is not restricted to only the authorized management packets based on destination address.
V-17834 Medium An inbound ACL is not configured for the management network sub-interface of the trunk link to block non-management traffic.
V-30744 Medium The administrator must ensure the that all L2TPv3 sessions are authenticated prior to transporting traffic.
V-3160 Medium The network element must be running a current and supported operating system with all IAVMs addressed.
V-18790 Medium Default routes must not be directed to the tunnel entry point.
V-3969 Medium The network device must only allow SNMP read-only access.
V-5611 Medium The network element must only allow management connections for administrative access from hosts residing in to the management network.
V-3967 Medium The network element must time out access to the console port after 10 minutes or less of inactivity.
V-3966 Medium In the event the authentication server is down or unavailable, there must only be one local account created for emergency use.
V-19188 Medium The router must have control plane protection enabled.
V-17821 Medium The network element’s OOBM interface must be configured with an OOBM network address.
V-17822 Medium The management interface is not configured with both an ingress and egress ACL.
V-14717 Medium The network element must not use SSH Version 1 for administrative access.
V-17815 Medium IGP instances configured on the OOBM gateway router do not peer only with their appropriate routing domain
V-17814 Medium Gateway configuration at the remote VPN end-point is a not a mirror of the local gateway
V-17817 Medium Traffic from the managed network is able to access the OOBM gateway router
V-17816 Medium The routes from the two IGP domains are redistributed to each other.
V-17819 Medium Management network traffic is leaking into the managed network.
V-17818 Medium Traffic from the managed network will leak into the management network via the gateway router interface connected to the OOBM backbone.
V-30578 Medium The administrator must ensure that a PIM neighbor filter is bound to all interfaces that have PIM enabled.
V-3057 Medium Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
V-15288 Medium ISATAP tunnels must terminate at an interior router.
V-3058 Medium Unauthorized accounts must not be configured for access to the network device.
V-3043 Medium The network element must use different SNMP community names or groups for various levels of read and write access.
V-14705 Medium The administrator will enable CEF to improve router stability during a SYN flood attack in an IPv6 enclave.
V-14707 Medium The network element must be configured from accepting any outbound IP packet that contains an illegitimate address in the source address field via egress ACL or by enabling Unicast Reverse Path Forwarding in an IPv6 enclave.
V-5645 Medium Cisco Express Forwarding (CEF) must be enabled on all supported Cisco Layer 3 IP devices.
V-5613 Medium The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface.
V-5612 Medium The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
V-18522 Medium Server VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security posture.
V-5618 Medium The router must have gratuitous ARP disabled.
V-3085 Medium The network element must have HTTP service for administrative access disabled.
V-3080 Medium The router must have configuration auto-loading disabled.
V-3081 Medium The router must have IP source routing disabled.
V-30660 Medium The administrator must ensure the 6-to-4 router is configured to drop any IPv4 packets with protocol 41 received from the internal network.
V-3034 Medium The network element must authenticate all IGP peers.
V-17754 Medium Management traffic is not restricted to only the authorized management packets based on destination and source IP address.
V-3008 Medium The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.
V-3079 Low The network element must have the Finger service disabled.
V-3078 Low The network element must have TCP & UDP small servers disabled.
V-14667 Low The network element must not be configured with rotating keys used for authenticating IGP peers that have a duration exceeding 180 days.
V-3070 Low The network element must log all attempts to establish a management connection for administrative access.
V-3072 Low The network element’s running configuration must be synchronized with the startup configuration after changes have been made and implemented.
V-30617 Low The administrator must ensure that the maximum hop limit is at least 32.
V-4584 Low The network element must log all messages except debugging and send all log data to a syslog server.
V-14672 Low The router must use its loopback or OOB management interface address as the source address when originating TACACS+ or RADIUS traffic.
V-14673 Low The router must use its loopback or OOB management interface address as the source address when originating syslog traffic.
V-14674 Low The router must use its loopback or OOB management interface address as the source address when originating NTP traffic.
V-14675 Low The router must use its loopback or OOB management interface address as the source address when originating SNMP traffic.
V-14676 Low The router must use its loopback or OOB management interface address as the source address when originating NetFlow traffic.
V-14677 Low The network device must use its loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.
V-17837 Low The core router within the managed network has not been configured to provide preferred treatment for management traffic that must traverse several nodes to reach the management network.
V-17836 Low Management traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.
V-23747 Low The network element must use two or more NTP servers to synchronize time.
V-3020 Low The network element must have DNS servers defined if it is configured as a client resolver.
V-19189 Low The administrator must ensure that multicast routers are configured to establish boundaries for Admin-local or Site-local scope multicast traffic.
V-17823 Low The network element’s management interface is not configured as passive for the IGP instance deployed in the managed network.
V-30736 Low The administrator must ensure the 6-to-4 router is configured to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.
V-14681 Low The router must use its loopback interface address as the source address for all iBGP peering sessions.
V-5616 Low The network element must have identification support disabled.
V-5615 Low The network element must have TCP Keep-Alives enabled for TCP sessions.
V-5614 Low The network element must have the PAD service disabled.
V-3086 Low The router must have Bootp service disabled.
V-3083 Low The router must have IP directed broadcast disabled on all layer 3 interfaces.
V-30585 Low The administrator must ensure that multicast groups used for source specific multicast (SSM) routing are from the specific multicast address space reserved for this purpose.
V-7011 Low The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
V-3000 Low The network device must log all access control lists (ACL) deny statements.