| V-272061 | | The Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all networ... |
| V-272062 | | The BGP Cisco ACI must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). | Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path... |
| V-272063 | | The BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS). | Advertisement of routes by an autonomous system for networks that do not belong to any of its customers pulls traffic away from the authorized network... |
| V-272068 | | The multicast Cisco ACI must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing. | If multicast traffic is forwarded beyond the intended boundary, it is possible it can be intercepted by unauthorized or unintended personnel. Limiting... |
| V-272069 | | The multicast Cisco ACI must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. | PIM is a routing protocol used to build multicast distribution trees for forwarding multicast traffic across the network infrastructure. PIM traffic m... |
| V-272071 | | The out-of-band management (OOBM) gateway Cisco ACI must be configured to have separate OSPF instances for the managed network and management network. | If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and productio... |
| V-272072 | | The Cisco ACI out-of-band management (OOBM) must be configured to not redistribute routes between the management network routing domain and the managed network routing domain. | If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and product... |
| V-272076 | | The Cisco ACI must not be configured to have any feature enabled that calls home to the vendor. | Call home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troub... |
| V-272077 | | The Cisco ACI must be configured to use encryption for routing protocol authentication. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destinatio... |
| V-272078 | | The Cisco ACI must be configured to authenticate all routing protocol messages using a NIST-validated FIPS 198-1 message authentication code algorithm. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destinatio... |
| V-272079 | | The Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself. | Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP pack... |
| V-272080 | | The BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes belonging to the IP core. | Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized p... |
| V-272081 | | The Cisco ACI must be configured to only permit management traffic that ingresses and egresses the OOBM interface. | To configure OOB management on an ACI fabric, use the Application Policy Infrastructure Controller (APIC), which is the central management point for t... |
| V-272082 | | The Cisco ACI must be configured to implement message authentication and secure communications for all control plane protocols. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destinatio... |
| V-272083 | | The BGP Cisco ACI must be configured to use a unique key for each autonomous system (AS) it peers with. | If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicio... |
| V-272084 | | The Cisco ACI must be configured to use keys with a duration of 180 days or less for authenticating routing protocol messages. | If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect ro... |
| V-272085 | | The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to authenticate all received MSDP packets. | MSDP peering with customer network routers presents additional risks to the core, whether from a rogue or misconfigured MSDP-enabled router. MSDP pass... |
| V-272086 | | The Cisco ACI must be configured to have gratuitous ARP (GARP) disabled on all external interfaces. | A GARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A... |
| V-272087 | | The Cisco ACI must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wid... |
| V-272088 | | The BGP Cisco ACI must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks. | The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traff... |
| V-272091 | | The multicast rendezvous point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages. | When a new source starts transmitting in a PIM Sparse Mode network, the designated router (DR) will encapsulate the multicast packets into register me... |
| V-272092 | | The Cisco ACI must be configured to limit the mroute states created by Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) reports on a Cisco APIC Bridge Domain (BD) or interface. | Limiting mroute states helps prevent excessive multicast traffic flooding on the network by controlling the number of multicast groups a segment can j... |
| V-272093 | | The Cisco ACI multicast shortest-path tree (SPT) threshold must be set to the default. | On a Cisco ACI, the "ip pim spt-threshold" is not set to infinity by default; it is typically set to a finite value, with the default usually being ze... |
| V-272096 | | The Cisco ACI multicast must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization. | Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file downlo... |
| V-272097 | | Cisco ACI Multicast Source Discovery Protocol (MSDP) must be configured to only accept MSDP packets from known MSDP peers. | MSDP peering with customer network routers presents additional risks to the DISN Core, whether from a rogue or misconfigured MSDP-enabled router. To g... |
| V-272101 | | The Cisco ACI must not be configured to use IPv6 site local unicast addresses. | As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of t... |
| V-272102 | | The Cisco ACI must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. | Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessa... |
| V-272103 | | The Cisco ACI must establish organization-defined alternate communication paths for system operations organizational command and control. | An incident, whether adversarial- or nonadversarial-based, can disrupt established communication paths used for system operations and organizational c... |
| V-272104 | | The Cisco ACI must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection. | The route processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via c... |
| V-272064 | | The BGP Cisco ACI must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute. | Verifying the path a route has traversed will ensure the IP core is not used as a transit network for unauthorized or possibly even internet traffic. ... |
| V-272065 | | The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources. | The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomou... |
| V-272066 | | The Cisco ACI Multicast Source Discovery Protocol (MSDP) must be configured to filter source-active (SA) multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups. | To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to anothe... |
| V-272067 | | The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to limit the amount of source-active (SA) messages it accepts on per-peer basis. | To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of... |
| V-272070 | | The multicast edge Cisco ACI must be configured to establish boundaries for administratively scoped multicast traffic. | If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel.
Ad... |
| V-272073 | | The Cisco ACI multicast rendezvous point (RP) must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the designated router (DR) for any undesirable multicast groups and sources. | Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the av... |
| V-272074 | | The multicast rendezvous point (RP) Cisco ACI must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the designated router (DR) for any undesirable multicast groups. | Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the av... |
| V-272075 | | The Cisco ACI must be configured to log all packets that have been dropped. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted t... |
| V-272089 | | The BGP Cisco ACI must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer. | The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traff... |
| V-272090 | | The Cisco ACI multicast rendezvous point (RP) must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries. | MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure... |
| V-272094 | | Cisco ACI must be configured to enable the Generalized TTL Security Mechanism (GTSM) for BGP sessions. | GTSM is designed to protect a router's IP-based control plane from denial-of-service (DoS) attacks. Many attacks focused on CPU load and line-card ove... |
| V-272095 | | The Cisco ACI multicast must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization. | Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file downlo... |
| V-272098 | | The Cisco ACI must be configured to use its loopback address as the source address for internal Border Gateway Protocol (iBGP) peering sessions. | Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of the BGP routers. It is ... |
| V-272099 | | The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to use its loopback address as the source address when originating MSDP traffic. | Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of MSDP routers. It is eas... |
| V-272100 | | The Cisco ACI must be configured to advertise a hop limit of at least 32 in Cisco ACI Advertisement messages for IPv6 stateless auto-configuration deployments. | The Neighbor Discovery Protocol allows a hop limit value to be advertised by routers in a router advertisement message being used by hosts instead of ... |
| V-272105 | | The MPLS Cisco ACI with Resource Reservation Protocol Traffic Engineering (RSVP-TE) enabled must be configured with message pacing or refresh reduction to adjust the maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core Cisco ACIs. | RSVP-TE can be used to perform constraint-based routing when building LSP tunnels within the network core that will support QoS and traffic engineerin... |
