| V-272061 | | The Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all networ... |
| V-272062 | | The BGP Cisco ACI must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). | Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path... |
| V-272063 | | The BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS). | Advertisement of routes by an autonomous system for networks that do not belong to any of its customers pulls traffic away from the authorized network... |
| V-272069 | | The multicast Cisco ACI must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. | PIM is a routing protocol used to build multicast distribution trees for forwarding multicast traffic across the network infrastructure. PIM traffic m... |
| V-272076 | | The Cisco ACI must not be configured to have any feature enabled that calls home to the vendor. | Call home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troub... |
| V-272077 | | The Cisco ACI must be configured to use encryption for routing protocol authentication. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destinatio... |
| V-272078 | | The Cisco ACI must be configured to authenticate all routing protocol messages using a NIST-validated FIPS 198-1 message authentication code algorithm. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destinatio... |
| V-272079 | | The Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself. | Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all ... |
| V-272081 | | The Cisco ACI must be configured to only permit management traffic that ingresses and egresses the OOBM interface. | To configure OOB management on an ACI fabric, use the Application Policy Infrastructure Controller (APIC), the central management point for the networ... |
| V-272082 | | The Cisco ACI must be configured to implement message authentication and secure communications for all control plane protocols. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destinatio... |
| V-272086 | | The Cisco ACI must be configured to have gratuitous ARP (GARP) disabled on all external interfaces. | A GARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A... |
| V-272087 | | The Cisco ACI must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces. | The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wid... |
| V-272088 | | The BGP Cisco ACI must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks. | The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and result in black-holing legitimate traffic. I... |
| V-272091 | | The multicast rendezvous point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages. | When a new source starts transmitting in a PIM Sparse Mode network, the designated router (DR) will encapsulate the multicast packets into register me... |
| V-272092 | | The Cisco ACI must be configured to limit the mroute states created by Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) reports on a Cisco APIC Bridge Domain (BD) or interface. | Limiting mroute states helps prevent excessive multicast traffic flooding on the network by controlling the number of multicast groups a segment can j... |
| V-272101 | | The Cisco ACI must not be configured to use IPv6 site local unicast addresses. | As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of t... |
| V-272103 | | The Cisco ACI must establish organization-defined alternate communication paths for system operations organizational command and control. | An incident, whether adversarial- or nonadversarial-based, can disrupt established communication paths used for system operations and organizational c... |
| V-272104 | | The Cisco ACI must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection. | The route processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via c... |
| V-272064 | | The BGP Cisco ACI must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute. | Verifying the path a route has traversed will ensure the IP core is not used as a transit network for unauthorized or possibly even internet traffic. ... |
| V-272073 | | The Cisco ACI multicast rendezvous point (RP) must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the designated router (DR) for any undesirable multicast groups and sources. | Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the av... |
| V-272074 | | The multicast rendezvous point (RP) Cisco ACI must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the designated router (DR) for any undesirable multicast groups. | Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the av... |
| V-272075 | | The Cisco ACI must be configured to log all packets that have been dropped. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted t... |
| V-272089 | | The BGP Cisco ACI must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer. | The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traff... |
| V-272094 | | Cisco ACI must be configured so the BGP neighbor is directly connected and will not connect a BGP session to a directly connected neighbor device's loopback address. | Generalized Time To Live Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from denial-of-service (DoS) attacks. Many... |
| V-272095 | | The Cisco ACI multicast must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups and only from sources that have been approved by the organization. | Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., occasional file downloads),... |
| V-272098 | | The Cisco ACI must be configured to use its loopback address as the source address for internal Border Gateway Protocol (iBGP) peering sessions. | Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of the BGP routers. It is ... |
