The IAO/NSO will ensure the AG network service provider IP addresses are not redistributed into or advertised to the NIPRNet or any router belonging to any other Autonomous System (AS) i.e. to another AG device in another AS.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4624	NET0166	SV-4624r2_rule		Low

Description
Unsolicited traffic that may inadvertently attempt to enter the NIPRNet by traversing the enclave's premise router can be avoided by not redistributing NIPRNet routes into the AG.

STIG	Date
Perimeter Router Security Technical Implementation Guide Cisco	2018-11-28

Details

Check Text ( C-3395r2_chk )
Review the configuration of the router connecting to the AG and verify that there are no routes being redistributed into the enclave from the AG. Note: An Approved Gateway (AG) is any external connection from a DoD NIPRNet enclave to an Internet Service Provider, or network owned by a contractor, or non-DoD federal agency that has been approved by either the DoD CIO or the DoD Component CIO. This AG requirement does not apply to commercial cloud connections when the Cloud Service Provider (CSP) network is connected via the NIPRNet Boundary Cloud Access Point (BCAP).

Check Text ( C-3395r2_chk )

Review the configuration of the router connecting to the AG and verify that there are no routes being redistributed into the enclave from the AG.

Note: An Approved Gateway (AG) is any external connection from a DoD NIPRNet enclave to an Internet Service Provider, or network owned by a contractor, or non-DoD federal agency that has been approved by either the DoD CIO or the DoD Component CIO. This AG requirement does not apply to commercial cloud connections when the Cloud Service Provider (CSP) network is connected via the NIPRNet Boundary Cloud Access Point (BCAP).

Fix Text (F-4557r1_fix)
Use distribute lists prefix lists to insure AG routes are not redistributed into the NIPRNet BGP or sites IGP (OSPF, EIGRP, RIP, etc).