Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-4622 | NET0162 | SV-4622r1_rule | ECSC-1 | High |
Description |
---|
Any enclave with one or more AG connections will have to take additional steps to ensure that neither their network nor the NIPRNet is compromised. Without verifying the destination address of traffic coming from the site’s AG, the premise router could be routing transit data from the Internet into the NIPRNet. This could also make the premise router vulnerable to a DoS attack as well as provide a backdoor into the NIPRNet. The DOD enclave must ensure that the premise router’s ingress packet filter for any interface connected to an AG is configured to only permit packets with a destination address belonging to the DOD enclave’s address block. |
STIG | Date |
---|---|
Perimeter Router Security Technical Implementation Guide Cisco | 2016-01-04 |
Check Text ( C-3389r1_chk ) |
---|
Review the running config of the router that connects to an AG and verify that each permit statement of the ingress ACL is configured to only permit packets with destination addresses of the site’s NIPRNet address space or that belonging to the address block assigned by the AG network service provider. |
Fix Text (F-4555r1_fix) |
---|
Insure the ingress ACL for any interface connected to an AAG is configured to only permit packets with a destination address belonging to the sites address block. |