Cisco IOS XR Router NDM Security Technical Implementation Guide

  • Version/Release: V3R1
  • Published: 2024-06-06
  • Released: 2024-07-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The Cisco router must be configured to limit the number of concurrent management sessions to an organization-defined number.
AC-10 - Medium - CCI-000054 - V-216522 - SV-216522r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
CISC-ND-000010
Vuln IDs
  • V-216522
  • V-96371
Rule IDs
  • SV-216522r960735_rule
  • SV-105509
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.
Checks: C-17757r288252_chk

Note: This requirement is not applicable to file transfer actions such as FTP, SCP and SFTP. Review the router configuration to determine if concurrent management sessions are limited as show in the example below: ssh server session-limit 2 If the router is not configured to limit the number of concurrent management sessions, this is a finding.

Fix: F-17754r288253_fix

Configure the router to limit the number of concurrent management sessions to an organization-defined number as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server session-limit 2

b
The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.
AC-4 - Medium - CCI-001368 - V-216523 - SV-216523r991929_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
CISC-ND-000140
Vuln IDs
  • V-216523
  • V-96379
Rule IDs
  • SV-216523r991929_rule
  • SV-105517
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.
Checks: C-17758r991927_chk

Review the Cisco router configuration to verify that it is compliant with this requirement. Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below. line default access-class ingress MANAGEMENT_NET transport input ssh ! vty-pool default 0 4 Step 2: Verify that the ACL permits only hosts from the management network to access the router. ipv4 access-list MANAGEMENT_NET 10 permit ipv4 10.1.1.0 255.255.255.0 any 20 deny ipv4 any any log-input If the Cisco router is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.

Fix: F-17755r991928_fix

Configure the Cisco router to restrict management access to specific IP addresses via SSH as shown in the example below. RP/0/0/CPU0:ios(config)#ipv4 access-list MANAGEMENT_NET RP/0/0/CPU0:ios(config-ipv4-acl)#permit ipv4 10.1.1.0 255.255.255.0 any RP/0/0/CPU0:ios(config-ipv4-acl)#deny ipv4 any any log-input RP/0/0/CPU0:ios(config-ipv4-acl)#exit RP/0/0/CPU0:R3(config)#vty default 0 4 RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#transport input ssh RP/0/0/CPU0:R3(config-line)#access-class MANAGEMENT_NET in RP/0/0/CPU0:R3(config-line)#end

b
The Cisco router must be configured to enforce the limit of three consecutive invalid logon attempts after which time lock out the user account from accessing the device for 15 minutes.
AC-7 - Medium - CCI-000044 - V-216524 - SV-216524r960840_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
CISC-ND-000150
Vuln IDs
  • V-216524
  • V-96381
Rule IDs
  • SV-216524r960840_rule
  • SV-105519
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Checks: C-17759r288258_chk

The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to utilize an authentication server to authenticate and authorize users for administrative access. Review the router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example: radius-server host 10.1.3.16 auth-port 1645 acct-port 1646 key xxxxxxxxxx … … … aaa authentication login LOGIN_AUTHENTICATION group radius local line console login authentication LOGIN_AUTHENTICATION ! line default login authentication LOGIN_AUTHENTICATION transport input ssh If the router is not configured to use an authentication server to authenticate and authorize users for administrative access, this is a finding.

Fix: F-17756r288259_fix

Step 1: Configure the router to use an authentication server as shown in the following example: RP/0/0/CPU0:R3(config)#radius-server host 10.1.3.16 key xxxxxxxx Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication as shown in the following example: RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION RP/0/0/CPU0:R3(config-line)#exit RP/0/0/CPU0:R3(config)#line console RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION

b
The Cisco router must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
AC-8 - Medium - CCI-000048 - V-216525 - SV-216525r960843_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
CISC-ND-000160
Vuln IDs
  • V-216525
  • V-96383
Rule IDs
  • SV-216525r960843_rule
  • SV-105521
Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.
Checks: C-17760r288261_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. banner login ^C You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ^C If the Cisco router is not configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.

Fix: F-17757r288262_fix

Configure the Cisco router to display the Standard Mandatory DoD Notice and Consent Banner before granting access as shown in the following example: RP/0/0/CPU0:R3(config)#banner login # Enter TEXT message. End with the character '#'. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. # RP/0/0/CPU0:R3(config)#end

b
The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to logon with access privileges occur.
AU-12 - Medium - CCI-000172 - V-216526 - SV-216526r960885_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CISC-ND-000250
Vuln IDs
  • V-216526
  • V-96393
Rule IDs
  • SV-216526r960885_rule
  • SV-105531
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-17761r288264_chk

Review the Cisco router configuration to verify that it is compliant with this requirement. The configuration example below will log all logon attempts. logging buffered informational logging 10.1.22.2 vrf default severity info If the Cisco router is not configured to generate audit records when successful/unsuccessful attempts to logon, this is a finding.

Fix: F-17758r288265_fix

Configure the Cisco router to log all logon attempts as shown in the example below. RP/0/0/CPU0:R3(config)#logging buffered informational RP/0/0/CPU0:R3(config)#logging 10.1.22.2 severity info

b
The Cisco router must produce audit records containing information to establish when (date and time) the events occurred.
AU-3 - Medium - CCI-000131 - V-216527 - SV-216527r960894_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
CISC-ND-000280
Vuln IDs
  • V-216527
  • V-96395
Rule IDs
  • SV-216527r960894_rule
  • SV-105533
It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment. Logging the date and time of each detected event provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured network device. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the date and time are recorded in all log records.
Checks: C-17762r288267_chk

Verify that the router is configured to include the date and time on all log records as shown in the configuration example below. service timestamps log datetime localtime If time stamps are not configured, this is a finding.

Fix: F-17759r288268_fix

Configure the router to include the date and time on all log records as shown in the example below. RP/0/0/CPU0:R3(config)#service timestamps log datetime localtime

b
The Cisco router must produce audit records containing information to establish where the events occurred.
AU-3 - Medium - CCI-000132 - V-216528 - SV-216528r960897_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000132
Version
CISC-ND-000290
Vuln IDs
  • V-216528
  • V-96397
Rule IDs
  • SV-216528r960897_rule
  • SV-105535
In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as device hardware components, device software modules, session identifiers, filenames, host names, and functionality. Associating information about where the event occurred within the network device provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured device.
Checks: C-17763r929027_chk

Review the deny statements in all interface ACLs to determine if the log-input parameter has been configured as shown in the example below. Note: log-input can only apply to interface bound ACLs. ipv4 access-list BLOCK_INBOUND 10 deny icmp any any log-input If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.

Fix: F-17760r288271_fix

Configure the log-input parameter after any deny statements to provide the location as to where packets have been dropped via an ACL. RP/0/0/CPU0:R3(config)#ipv4 access-list BLOCK_INBOUND RP/0/0/CPU0:R3(config-ipv4-acl)#deny icmp any any log-input

c
The Cisco router must be configured to be configured to prohibit the use of all unnecessary and nonsecure functions and services.
CM-7 - High - CCI-000382 - V-216529 - SV-216529r960966_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000382
Version
CISC-ND-000470
Vuln IDs
  • V-216529
  • V-96403
Rule IDs
  • SV-216529r960966_rule
  • SV-105541
Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.
Checks: C-17764r939996_chk

Verify that the router does not have any unnecessary or nonsecure ports, protocols, and services enabled. For example, the following commands should not be in the configuration: service ipv4 tcp-small-servers max-servers 10 service ipv4 udp-small-servers max-servers 10 http client vrf xxxxx telnet vrf default ipv4 server max-servers 1 service call-home If any unnecessary or nonsecure ports, protocols, or services are enabled, this is a finding.

Fix: F-17761r939997_fix

Disable the following services if enabled as shown in the example below. RP/0/0/CPU0:R3(config)#no service ipv4 tcp-small-servers RP/0/0/CPU0:R3(config)#no service ipv4 udp-small-servers RP/0/0/CPU0:R3(config)#no http client vrf xxxxx RP/0/0/CPU0:R3(config)#no telnet ipv4 server RP/0/0/CPU0:R3(config)#no service call-home

b
The Cisco router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
AC-2 - Medium - CCI-001358 - V-216530 - SV-216530r960969_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001358
Version
CISC-ND-000490
Vuln IDs
  • V-216530
  • V-96407
Rule IDs
  • SV-216530r960969_rule
  • SV-105545
Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. An alternative to using a sealed envelope in a safe would be credential files, separated by technology, located in a secured location on a file server, with the files only accessible to those administrators authorized to use the accounts of last resort, and access to that location monitored by a central log server. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.
Checks: C-17765r288276_chk

Step 1: Review the Cisco router configuration to verify that a local account for last resort has been configured. username xxxxxxxxxxxx group netadmin secret 5 xxxxxxxxxxxxxxxxxxxx Note: The following groups should not be assigned to this local account: root-system and root-lr. A custom group that provides appropriate tasks can be used. Step 2: Verify that local is defined after radius or tacas+ in the authentication order as shown in the example below. aaa authentication login default group tacacs+ local If the Cisco router is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.

Fix: F-17762r288277_fix

Step 1: Configure a local account with the necessary privilege level to troubleshoot network outage and restore operations as shown in the following example: RP/0/0/CPU0:R3(config)#username xxxxxxxxx group netadmin RP/0/0/CPU0:R3(config)#username xxxxxxxxx secret xxxxxx Step 2: Configure the authentication order to use the local account if the authentication server is not reachable as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login default group tacacs+ local

b
The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
IA-2 - Medium - CCI-001941 - V-216531 - SV-216531r960993_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001941
Version
CISC-ND-000530
Vuln IDs
  • V-216531
  • V-96413
Rule IDs
  • SV-216531r960993_rule
  • SV-105551
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Checks: C-17766r288279_chk

Review the router configuration to verify that SSH version 2 is configured as shown in the example below. ssh server v2 Note: IOS XR supports SSHv1 and SSHv2. SSHv1 uses Rivest, Shamir, and Adelman (RSA) keys while SSHv2 uses Digital Signature Algorithm (DSA) keys. If the router is not configured to implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.

Fix: F-17763r288280_fix

Configure the router to use SSH version 2 as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server v2

c
The Cisco router must be configured to terminate all network connections associated with device management after five minutes of inactivity.
SC-10 - High - CCI-001133 - V-216532 - SV-216532r961068_rule
RMF Control
SC-10
Severity
High
CCI
CCI-001133
Version
CISC-ND-000720
Vuln IDs
  • V-216532
  • V-96421
Rule IDs
  • SV-216532r961068_rule
  • SV-105559
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-17767r916290_chk

Review the Cisco router configuration to verify that all network connections associated with a device management have an idle timeout value set to five minutes or less as shown in the following example: line console … … … exec-timeout 5 0 ! line default … … … exec-timeout 5 0 transport input ssh If the Cisco router is not configured to terminate all network connections associated with a device management after five minutes of inactivity, this is a finding.

Fix: F-17764r916291_fix

Set the idle timeout value to five minutes or less on all configured login classes as shown in the example below. RP/0/0/CPU0:R3(config)#line con RP/0/0/CPU0:R3(config-line)#exec-timeout RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#exec-timeout 5 0

b
The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
AU-4 - Medium - CCI-001849 - V-216533 - SV-216533r961392_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001849
Version
CISC-ND-000980
Vuln IDs
  • V-216533
  • V-96443
Rule IDs
  • SV-216533r961392_rule
  • SV-105581
In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.
Checks: C-17768r288285_chk

Verify that the Cisco router is configured with a logging buffer size as well as on the hard drive. The configuration should look like the example below: logging archive device harddisk severity notifications file-size 10 archive-size 100 … … … logging buffered 8888888 If a logging buffer size and the archive size is not configured, this is a finding. If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.

Fix: F-17765r288286_fix

Configure the logging buffer size as well as the active log file size and the amount of storage to be reserved for archive log files as shown in the example below. RP/0/0/CPU0:R3(config)#logging buffered 8888888 RP/0/0/CPU0:R3(config)#logging archive RP/0/0/CPU0:R3(config-logging-arch)#severity notifications RP/0/0/CPU0:R3(config-logging-arch)#device harddisk RP/0/0/CPU0:R3(config-logging-arch)#archive-size 100 RP/0/0/CPU0:R3(config-logging-arch)#file-size 10 RP/0/0/CPU0:R3(config-logging-arch)#end

b
The Cisco router must be configured to generate an alert for all audit failure events.
AU-5 - Medium - CCI-001858 - V-216534 - SV-216534r991930_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001858
Version
CISC-ND-001000
Vuln IDs
  • V-216534
  • V-96447
Rule IDs
  • SV-216534r991930_rule
  • SV-105585
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
Checks: C-17769r288288_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. logging 10.1.12.7 vrf default severity critical Note: The parameter "critical" can be replaced with a lesser severity level (i.e., error, warning, notice, informational). If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.

Fix: F-17766r288289_fix

Configure the Cisco router to send critical to emergency log messages to the syslog server as shown in the example below. RP/0/0/CPU0:R3(config)#logging 10.1.12.7 severity critical Note: The parameter "critical" can replaced with a lesser severity level (i.e., error, warning, notice, informational).

b
The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.
- Medium - CCI-004928 - V-216535 - SV-216535r991931_rule
RMF Control
Severity
Medium
CCI
CCI-004928
Version
CISC-ND-001030
Vuln IDs
  • V-216535
  • V-96449
Rule IDs
  • SV-216535r991931_rule
  • SV-105587
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-17770r288291_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the configuration example below. ntp server x.x.x.x ntp server y.y.y.y If the Cisco router is not configured to synchronize its clock with redundant authoritative time sources, this is a finding.

Fix: F-17767r288292_fix

Configure the Cisco router to synchronize its clock with redundant authoritative time sources as shown in the example below. RP/0/0/CPU0:R3 (config)#ntp server x.x.x.x RP/0/0/CPU0:R3 (config)#ntp server y.y.y.y

b
The Cisco router must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
AU-8 - Medium - CCI-001889 - V-216536 - SV-216536r961446_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001889
Version
CISC-ND-001040
Vuln IDs
  • V-216536
  • V-96451
Rule IDs
  • SV-216536r961446_rule
  • SV-105589
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.
Checks: C-17771r288294_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. hostname R3 service timestamps log datetime localtime If the router is not configured to record time stamps that meet a granularity of one second, this is a finding.

Fix: F-17768r288295_fix

Configure the Cisco router to record time stamps that meet a granularity of one second as shown in the example below. RP/0/0/CPU0:R3(config)#service timestamps log datetime localtime

b
The Cisco router must be configured to record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Medium - CCI-001890 - V-216537 - SV-216537r961443_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
CISC-ND-001050
Vuln IDs
  • V-216537
  • V-96453
Rule IDs
  • SV-216537r961443_rule
  • SV-105591
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.
Checks: C-17772r288297_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. hostname R3 clock timezone EST -5 service timestamps log datetime localtime Note: UTC is the default; hence, the command set time-zone may not be seen in the configuration. This can be verified using the show system uptime command. If the router is not configured to record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.

Fix: F-17769r288298_fix

Configure the Cisco router to record time stamps for audit records that can be mapped to UTC or GMT as shown in the example below. RP/0/0/CPU0:R3(config)#clock timezone EST -5 RP/0/0/CPU0:R3(config)#service timestamps log datetime localtime

b
The Cisco router must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
IA-3 - Medium - CCI-001967 - V-216538 - SV-216538r961506_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
CISC-ND-001130
Vuln IDs
  • V-216538
  • V-96463
Rule IDs
  • SV-216538r961506_rule
  • SV-105601
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.
Checks: C-17773r288300_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. snmp-server host x.x.x.x traps version 3 auth V3USER snmp-server user V3USER V3GROUP v3 auth sha snmp-server view V3READ iso included snmp-server view V3WRITE iso included snmp-server group V3GROUP v3 auth read V3READ write V3WRITE If the Cisco router is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.

Fix: F-17770r288301_fix

Configure the Cisco router to authenticate SNMP messages as shown in the example below. RP/0/0/CPU0:R3(config)#snmp-server group V3GROUP v3 auth read V3READ write V3WRITE RP/0/0/CPU0:R3(config)#snmp-server user V3USER V3GROUP v3 auth sha xxxxxx RP/0/0/CPU0:R3(config)#snmp-server view V3READ iso included RP/0/0/CPU0:R3(config)#snmp-server view V3WRITE iso included RP/0/0/CPU0:R3(config)#snmp-server host x.x.x.x version 3 auth V3USER

b
The Cisco router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
AC-17 - Medium - CCI-000068 - V-216539 - SV-216539r961506_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
CISC-ND-001140
Vuln IDs
  • V-216539
  • V-96465
Rule IDs
  • SV-216539r961506_rule
  • SV-105603
Without the strong encryption that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information that can be used to create a network outage.
Checks: C-17774r288303_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. snmp-server host x.x.x.x traps version 3 auth V3USER snmp-server user V3USER V3GROUP v3 auth sha encrypted 110B1607150B snmp-server view V3READ iso included snmp-server view V3WRITE iso included snmp-server group V3GROUP v3 auth read V3READ write V3WRITE If the Cisco router is not configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm, this is a finding.

Fix: F-17771r288304_fix

Configure the Cisco router to encrypt SNMP messages using a FIPS 140-2 approved algorithm as shown in the example below. RP/0/0/CPU0:R3(config)#snmp-server group V3GROUP v3 auth read V3READ write V3WRITE RP/0/0/CPU0:R3(config)#snmp-server user V3USER V3GROUP v3 auth sha xxxxxx priv aes 256 xxxxxx RP/0/0/CPU0:R3(config)#snmp-server view V3READ iso included RP/0/0/CPU0:R3(config)#snmp-server view V3WRITE iso included RP/0/0/CPU0:R3(config)#snmp-server host x.x.x.x version 3 auth V3USER

b
The Cisco router must be configured to authenticate NTP sources using authentication that is cryptographically based.
IA-3 - Medium - CCI-001967 - V-216540 - SV-216540r961506_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
CISC-ND-001150
Vuln IDs
  • V-216540
  • V-96467
Rule IDs
  • SV-216540r961506_rule
  • SV-105605
If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.
Checks: C-17775r288306_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the configuration example below. ntp authentication-key 1 md5 encrypted 030654090416 trusted-key 1 server x.x.x.x key 1 server y.y.y.y key 1 If the Cisco router is not configured to authenticate NTP sources using authentication that is cryptographically based, this is a finding.

Fix: F-17772r288307_fix

Configure the Cisco router to authenticate NTP sources using authentication that is cryptographically based as shown in the example below. RP/0/0/CPU0:R4#ntp authenticate RP/0/0/CPU0:R4#ntp authentication-key 1 md5 xxxxxx RP/0/0/CPU0:R4#ntp trusted-key RP/0/0/CPU0:R4#ntp server x.x.x.x key 1 RP/0/0/CPU0:R4#ntp server y.y.y.y key 1

c
The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
MA-4 - High - CCI-002890 - V-216541 - SV-216541r961554_rule
RMF Control
MA-4
Severity
High
CCI
CCI-002890
Version
CISC-ND-001200
Vuln IDs
  • V-216541
  • V-96473
Rule IDs
  • SV-216541r961554_rule
  • SV-105611
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code use d for authentication to cryptographic modules.
Checks: C-17776r288309_chk

Review the router configuration to verify that SSH version 2 is configured as shown in the example below. ssh server v2 Note: IOS XR supports SSHv1 and SSHv2. SSHv1 uses Rivest, Shamir, and Adelman (RSA) keys while SSHv2 uses Digital Signature Algorithm (DSA) keys which is FIPS 186-4. If the Cisco router is not configured to use FIPS-validated HMAC to protect the integrity of remote maintenance sessions, this is a finding.

Fix: F-17773r288310_fix

Configure the router to use SSH version 2 as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server v2

c
The Cisco router must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.
MA-4 - High - CCI-003123 - V-216542 - SV-216542r961557_rule
RMF Control
MA-4
Severity
High
CCI
CCI-003123
Version
CISC-ND-001210
Vuln IDs
  • V-216542
  • V-96475
Rule IDs
  • SV-216542r961557_rule
  • SV-105613
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.
Checks: C-17777r288312_chk

Review the router configuration to verify that SSH version 2 is configured as shown in the example below. ssh server v2 Note: IOS XR supports SSHv1 and SSHv2. The AES encryption algorithm is supported on the SSHv2 server and client, but not on the SSHv1 server and client. Any requests for an AES cipher sent by an SSHv2 client to an SSHv1 server are ignored, with the server using 3DES instead. The cipher preference for the SSH server follows the order AES128, AES192, AES256, and, finally, 3DES. The server rejects any requests by the client for an unsupported cipher, and the SSH session does not proceed. If the router is configured to implement SSH version 1, this is a finding.

Fix: F-17774r288313_fix

Configure the router to use SSH version 2 as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server v2

b
The Cisco router must be configured to off-load log records onto a different system than the system being audited.
AU-4 - Medium - CCI-001851 - V-216543 - SV-216543r961860_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
CISC-ND-001310
Vuln IDs
  • V-216543
  • V-96477
Rule IDs
  • SV-216543r961860_rule
  • SV-105615
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-17778r288315_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. logging 10.1.12.7 vrf default severity info If the Cisco router is not configured to off-load log records onto a different system than the system being audited, this is a finding.

Fix: F-17775r288316_fix

Configure the Cisco router to send log records to a syslog server as shown in the example below. RP/0/0/CPU0:R3(config)#logging 10.1.12.7 severity info

c
The Cisco router must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.
CM-6 - High - CCI-000370 - V-216544 - SV-216544r961863_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
CISC-ND-001370
Vuln IDs
  • V-216544
  • V-96483
Rule IDs
  • SV-216544r961863_rule
  • SV-105621
Centralized management of user accounts and authentication increases the administrative access to the router. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
Checks: C-17779r916073_chk

Review the Cisco router configuration to verify that the device is configured to use at least two authentication servers as primary source for authentication as shown in the following example: radius-server host 10.1.3.16 auth-port 1645 acct-port 1646 key xxxxxxxxxx radius-server host 10.1.3.17 auth-port 1645 acct-port 1646 key xxxxxxxxxx… … … aaa authentication login LOGIN_AUTHENTICATION group radius local line console login authentication LOGIN_AUTHENTICATION ! line default login authentication LOGIN_AUTHENTICATION transport input ssh If the Cisco router is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.

Fix: F-17776r916074_fix

Step 1: Configure the router to use at least two authentication servers as shown in the following example: RP/0/0/CPU0:R3(config)#radius-server host 10.1.3.16 key xxxxxxxx RP/0/0/CPU0:R3(config)#radius-server host 10.1.3.17 key xxxxxxxx Step 2: Configure the authentication order to use the authentication servers as primary source for authentication as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication as shown in the following example: RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION RP/0/0/CPU0:R3(config-line)#exit RP/0/0/CPU0:R3(config)#line console RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION

b
The Cisco router must be configured to back up the configuration when changes occur.
CM-6 - Medium - CCI-000366 - V-216545 - SV-216545r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CISC-ND-001410
Vuln IDs
  • V-216545
  • V-96491
Rule IDs
  • SV-216545r961863_rule
  • SV-105629
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.
Checks: C-17780r288321_chk

Review the Cisco router configuration to verify that it is compliant with this requirement. The example configuration below will send the configuration to an TFTP server when a configuration change occurs. configuration commit auto-save filename tftp://10.1.3.18 If the Cisco router is not configured to conduct backups of the configuration when changes occur, this is a finding.

Fix: F-17777r288322_fix

Configure the Cisco router to send the configuration to an TFTP or FTP server when a configuration change occurs as shown in the example below. RP/0/0/CPU0:R3(config)#configuration commit auto-save filename tftp:// 10.1.3.18

b
The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
CM-6 - Medium - CCI-000366 - V-216546 - SV-216546r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CISC-ND-001440
Vuln IDs
  • V-216546
  • V-96495
Rule IDs
  • SV-216546r961863_rule
  • SV-105633
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this Certification Authority will suffice.
Checks: C-17781r288324_chk

Review the router configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the router has enrolled with. Verify this is a DoD or DoD-approved CA. This will ensure the router has enrolled and received a certificate from a trusted CA. The CA trust point configuration would look similar to the example below. crypto pki trustpoint CA_X enrollment url http://trustpoint1.example.com Note: A remote end-point's certificate will always be validated by the router by verifying the signature of the CA on the certificate using the CA's public key, which is contained in the router's certificate it received at enrollment. Note: This requirement is not applicable if the router does not have any public key certificates. If the Cisco router is not configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Fix: F-17778r288325_fix

Configure the router to obtain its public key certificates from an appropriate certificate policy through an approved service provider as show in the example below. RP/0/0/CPU0:R3(config)#crypto ca trustpoint CA_X RP/0/0/CPU0:R3(config-trustp)#enrollment url http://trustpoint1.example.com

c
The Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
AU-4 - High - CCI-001851 - V-216547 - SV-216547r961863_rule
RMF Control
AU-4
Severity
High
CCI
CCI-001851
Version
CISC-ND-001450
Vuln IDs
  • V-216547
  • V-96497
Rule IDs
  • SV-216547r961863_rule
  • SV-105635
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.
Checks: C-17782r916076_chk

Verify that the router is configured to send logs to at least two syslog servers. The configuration should look similar to the example below: logging 10.1.3.22 vrf default severity info logging 10.1.3.23 vrf default severity info If the router is not configured to send log data to the syslog server, this is a finding.

Fix: F-17779r916077_fix

Configure the router to send log messages to the syslog servers as shown in the example below. RP/0/0/CPU0:R3(config)#logging 10.1.3.22 severity info RP/0/0/CPU0:R3(config)#logging 10.1.3.23 severity info

c
The Cisco router must be running an IOS release that is currently supported by Cisco Systems.
CM-6 - High - CCI-000366 - V-216549 - SV-216549r961863_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
CISC-ND-001470
Vuln IDs
  • V-216549
  • V-96501
Rule IDs
  • SV-216549r961863_rule
  • SV-105639
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Running a supported release also enables operations to maintain a stable and reliable network provided by improved quality of service and security features.
Checks: C-17784r288333_chk

Verify that the router is in compliance with this requirement by having the router administrator enter the following command: show version Verify that the release is still supported by Cisco. All releases supported by Cisco can be found on the following URL: www.cisco.com/c/en/us/support/ios-nx-os-software If the router is not running a supported release, this is a finding.

Fix: F-17781r288334_fix

Upgrade the router to a supported release.