UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IAO/NSO will ensure premise router interfaces that connect to an AG (i.e., ISP) are configured with an ingress ACL that only permits packets with destination addresses within the site’s address space.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4622 NET0162 SV-4622r1_rule ECSC-1 High
Description
Any enclave with one or more AG connections will have to take additional steps to ensure that neither their network nor the NIPRNet is compromised. Without verifying the destination address of traffic coming from the site’s AG, the premise router could be routing transit data from the Internet into the NIPRNet. This could also make the premise router vulnerable to a DoS attack as well as provide a backdoor into the NIPRNet. The DOD enclave must ensure that the premise router’s ingress packet filter for any interface connected to an AG is configured to only permit packets with a destination address belonging to the DOD enclave’s address block.
STIG Date
Perimeter Router Security Technical Implementation Guide Cisco 2015-07-01

Details

Check Text ( C-3389r1_chk )
Review the running config of the router that connects to an AG and verify that each permit statement of the ingress ACL is configured to only permit packets with destination addresses of the site’s NIPRNet address space or that belonging to the address block assigned by the AG network service provider.
Fix Text (F-4555r1_fix)
Insure the ingress ACL for any interface connected to an AAG is configured to only permit packets with a destination address belonging to the sites address block.