Details
Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduce any unacceptable risk to the network infrastructure or data. An example of a flow control restriction is blocking outside traffic claiming to be from within the organization. For most routers, internal information flow control is a product of system design.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
This requirement is not applicable for the DODIN Backbone.
Step 1: Configure an ACL to allow or deny traffic as shown in the example below.
R1(config)#ip access-list extended FILTER_PERIMETER
R1(config-ext-nacl)#permit tcp any any established
R1(config-ext-nacl)#permit tcp host x.12.1.9 host x.12.1.10 eq bgp
R1(config-ext-nacl)#permit tcp host x.12.1.9 eq bgp host x.12.1.10
R1(config-ext-nacl)#permit icmp host x.12.1.9 host x.12.1.10 echo
R1(config-ext-nacl)#permit icmp host x.12.1.9 host x.12.1.10 echo-reply
R1(config-ext-nacl)#permit tcp any host x.12.1.22 eq www
R1(config-ext-nacl)#deny ip any any log-input
R1(config-ext-nacl)#exit
Step 2: Apply the ACL inbound on all external interfaces.
R2(config)#int g0/0
R1(config-if)#ip access-group FILTER_PERIMETER in
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Cisco.
References
- 800-53|AC-4
- CAT|II
- CCI|CCI-001414
- Rule-ID|SV-216663r531086_rule
- STIG-ID|CISC-RT-000250
- STIG-Legacy|SV-106037
- STIG-Legacy|V-96899
- Vuln-ID|V-216663