Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-55775 | SRG-NET-000195-RTR-000086 | SV-70029r1_rule | Medium |
Description |
---|
Advertisement of routes by an Autonomous System for networks that do not belong to any of its trusted peers pulls traffic away from the authorized network. This causes a DoS on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the network could redistribute Interior Gateway Protocol routes into Border Gateway Protocol, thereby leaking internal routes. |
STIG | Date |
---|---|
Router Security Requirements Guide | 2014-11-18 |
Check Text ( C-56341r1_chk ) |
---|
Review the router configuration to verify that Border Gateway Protocol connections are only from known neighbors in a trusted AS by restricting TCP port 179 to specific IP addresses. If the router is not configured to restrict TCP port 179 to specific IP addresses, this is a finding. |
Fix Text (F-60645r1_fix) |
---|
Configure an ingress filter to block any unauthorized BGP connection attempts by restricting TCP port 179 to specific IP addresses (authorized BGP peers). |