Home
Security Hardening
DISA STIG Cisco IOS Switch RTR V2R1

DISA STIG Cisco IOS Switch RTR V2R1

CISC-RT-000040 – The Cisco switch must be configured to use encryption for routing protocol authentication – rip
Details A rogue switch could send a fictitious routing update to convince a site’s perimeter switch to send traffic to...
CISC-RT-000050 – The Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
Details A rogue switch could send a fictitious routing update to convince a site’s perimeter switch to send traffic to...
CISC-RT-000060 – The Cisco switch must be configured to have all inactive Layer 3 interfaces disabled.
Details An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that...
CISC-RT-000070 – The Cisco switch must be configured to have all non-essential capabilities disabled.
Details A compromised switch introduces risk to the entire network infrastructure, as well as data resources that are accessible via...
CISC-RT-000080 – The Cisco switch must not be configured to have any feature enabled that calls home to the vendor.
Details Call home services will routinely send data such as configuration and diagnostic information to the vendor for routine or...
CISC-RT-000090 – The Cisco switch must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
Details Network devices that are configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image...
CISC-RT-000120 – The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
Details The Route Processor (RP) is critical to all network operations because it is the component used to build all...
CISC-RT-000130 – The Cisco switch must be configured to restrict traffic destined to itself.
Details The route processor handles traffic destined to the switch. This is the key component used to build forwarding paths...
CISC-RT-000140 – The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Details Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O’ Death and Teardrop....
CISC-RT-000150 – The Cisco switch must be configured to have gratuitous ARP disabled on all external interfaces.
Details A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It...

Prev Next

DISA STIG Cisco IOS Switch RTR V2R1

CISC-RT-000040 – The Cisco switch must be configured to use encryption for routing protocol authentication – rip

CISC-RT-000050 – The Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.

CISC-RT-000060 – The Cisco switch must be configured to have all inactive Layer 3 interfaces disabled.

CISC-RT-000070 – The Cisco switch must be configured to have all non-essential capabilities disabled.

CISC-RT-000080 – The Cisco switch must not be configured to have any feature enabled that calls home to the vendor.

CISC-RT-000090 – The Cisco switch must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.

CISC-RT-000120 – The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

CISC-RT-000130 – The Cisco switch must be configured to restrict traffic destined to itself.

CISC-RT-000140 – The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

CISC-RT-000150 – The Cisco switch must be configured to have gratuitous ARP disabled on all external interfaces.