Perimeter Router Security Technical Implementation Guide Cisco

V8R32 2018-11-28       U_Network_Perimeter_Router_Cisco_STIG_V8R32_Manual-xccdf.xml
V8R21 2015-09-21       U_Network_Perimeter_Router_Cisco_V8R21_Manual-xccdf.xml
Perimeter Router Security Technical Implementation Guide – Cisco
Comparison
All 1
No Change 0
Updated 0
Added 1
Removed 0
V-64805 Added
Findings ID: NET0745 Rule ID: SV-79295r1_rule Severity: low CCI: CCI-000381

Discussion

The Maintenance Operations Protocol (MOP) was developed by Digital Equipment Corporation to be used for remote communications. Cisco IOS software routers implement MOP to gather configuration information when communicating with DECNet networks. By default, MOP is enabled on all Ethernet, FastEthernet, and GigabitEthernet interfaces, and disabled on all other type of interfaces. The MOP RC data is carried directly over L2 frames, with no L3 addressing at all, so any RC session is limited to devices that are either on the same physical network segment or in separate network segments that are bridged. It is possible to connect to a Cisco IOS device using a MOP RC client and, with a valid set of credentials, establish an interactive remote session. Since this is a Cisco default setting, it will not display in the configuration when enabled. The MOP service must be disabled on each interface by using the "no mop enabled" interface configuration command.System AdministratorSwitch Administrator

Checks

Review the device configuration; if the statement "no mop enabled" is not present on every enabled Ethernet, FastEthernet, and GigabitEthernet interface, this is a finding. Not all releases of Cisco IOS support this capability and this does not apply to Cisco NX OS. If the "no mop enabled" statement is not present in the device configuration, determine if the IOS version and feature set support Maintenance Operations Protocol. If it does not, this is not a finding.

Fix

Configure the device to disable Maintenance Operation Protocol (MOP). Issue the following command on all Ethernet, FastEthernet, and GigabitEthernet interfaces: (config-if) no mop enable Not all releases of Cisco IOS support this capability and this does not apply to Cisco NX OS. Document the IOS release and feature set; if the device IOS does not support Maintenance Operation Protocol, no configuration change is necessary.