Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-4622 | NET0162 | SV-4622r2_rule | High |
Description |
---|
Any enclave with one or more AG connections will have to take additional steps to ensure that neither their network nor the NIPRNet is compromised. Without verifying the destination address of traffic coming from the site’s AG, the premise router could be routing transit data from the Internet into the NIPRNet. This could also make the premise router vulnerable to a DoS attack as well as provide a backdoor into the NIPRNet. The DOD enclave must ensure that the premise router’s ingress packet filter for any interface connected to an AG is configured to only permit packets with a destination address belonging to the DOD enclave’s address block. |
STIG | Date |
---|---|
Perimeter Router Security Technical Implementation Guide Cisco | 2016-12-23 |
Check Text ( C-3389r2_chk ) |
---|
Review the running config of the router that connects to an AG and verify that each permit statement of the ingress ACL is configured to only permit packets with destination addresses of the site’s NIPRNet address space or that belonging to the address block assigned by the AG network service provider. Note: An Approved Gateway (AG) is any external connection from a DoD NIPRNet enclave to an Internet Service Provider, or network owned by a contractor, or non-DoD federal agency that has been approved by either the DoD CIO or the DoD Component CIO. This AG requirement does not apply to commercial cloud connections when the Cloud Service Provider (CSP) network is connected via the NIPRNet Boundary Cloud Access Point (BCAP). |
Fix Text (F-4555r1_fix) |
---|
Insure the ingress ACL for any interface connected to an AAG is configured to only permit packets with a destination address belonging to the sites address block. |