UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Router Security Requirements Guide


Overview

Date Finding Count (28)
2015-09-28 CAT I (High): 0 CAT II (Med): 28 CAT III (Low): 0
STIG Description
The Router Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-55721 Medium The router must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
V-55723 Medium The router must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
V-55727 Medium The router must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
V-55729 Medium The router must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.
V-55741 Medium The router must enforce that Interior Gateway Protocol instances configured on the out-of-band management gateway router only peer with their own routing domain.
V-55747 Medium The router must enforce that the managed network domain and the management network domain are separate routing domains and the Interior Gateway Protocol instances are not redistributed or advertised to each other.
V-55749 Medium The router must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol that is utilized on that management interface.
V-55773 Medium The router must have IP source routing disabled.
V-55771 Medium The router must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
V-55777 Medium The router must configure the maximum hop limit value to at least 32.
V-55775 Medium The router must restrict BGP connections to known IP addresses of neighbor routers from trusted Autonomous Systems (AS).
V-55779 Medium The router must stop forwarding traffic or maintain the configured security policies upon the failure of the following actions: system initialization, shutdown, or system abort.
V-55791 Medium The router must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including NSA configuration guides, Communications Tasking Orders (CTOs), and Directive-Type Memorandums (DTMs).
V-55759 Medium The router must be configured so that any key used for authenticating Interior Gateway Protocol peers does not have a duration exceeding 180 days.
V-55735 Medium If Border Gateway Protocol (BGP) is enabled on the router, the router must not be a BGP peer with a router from an Autonomous System belonging to any Alternate Gateway.
V-55763 Medium The router must be configured to disable non-essential capabilities.
V-55739 Medium The router must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System.
V-55753 Medium The router must enforce information flow control using explicit security attributes (for example, IP addresses, port numbers, protocol, Autonomous System, or interface) on information, source, and destination objects.
V-55733 Medium The router must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
V-55757 Medium The router must enable neighbor router authentication for control plane protocols.
V-55731 Medium The router must be configured so inactive router interfaces are disabled.
V-55765 Medium The router must encrypt all methods of configured authentication for routing protocols.
V-55767 Medium The router must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms for routing protocols.
V-55761 Medium The router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.
V-55789 Medium The router must fail securely in the event of an operational failure.
V-55785 Medium The router must only allow incoming communications from authorized sources to be routed to authorized destinations.
V-55769 Medium The router must ensure all Exterior Border Gateway Protocol (eBGP) routers are configured to use Generalized TTL Security Mechanism (GTSM).
V-55781 Medium The router must protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.