The Nokia perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DOD Instruction (DODI) 8551.1.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283823 | NOKI-RT-000050 | SV-283823r1203718_rule | CCI-001097 | medium |
| Description | ||||
| Vulnerability assessments must be reviewed by the system administrator, and protocols must be approved by the information assurance staff before entering the enclave. Access control lists (ACLs) are the first line of defense in a layered security approach. They permit authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the network by not allowing packets to reach a potential target within the security domain. The lists provided are highly susceptible ports and services that should be blocked or limited as much as possible without adversely affecting customer requirements. Auditing packets attempting to penetrate the network but that are stopped by an ACL will allow network administrators to broaden their protective ring and more tightly define the scope of operation. If the perimeter is in a Deny-by-Default posture and what is allowed through the filter is in accordance with DODI 8551.1, and if the permit rule is explicitly defined with explicit ports and protocols allowed, then all requirements related to ports, protocols, and services being blocked would be satisfied. | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Router Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283823r1203718_chk)
This requirement is not applicable for the DODIN Backbone.
Review the router configuration to verify the ingress filter is in accordance with DODI 8551.
Verify all interfaces have ingress filters for IPv4 and IPv6 assigned, as shown in the example below:
- show router interface "TO-PE2" detail | match "Ingress Filter"
Egress Filter : none Ingress Filter : 10
- show router interface "TO-PE2" detail | match "Ingr IPv6 Flt"
Egr IPv6 Flt : none Ingr IPv6 Flt : 20
If the router does not filter traffic in accordance with the guidelines contained in DODI 8551, this is a finding.
Fix Text (F-88293r1203717_fix)
This requirement is not applicable for the DODIN Backbone.
Configure the router to use ingress ACLs to restrict traffic in accordance with the guidelines in DODI 8551.1 for all services and protocols required for operational commitments, as shown in the example below:
IPv4 filter:
- configure filter ip-filter 10 create
- config>filter>ip-filter# entry 10 create
- config>filter>ip-filter>entry# match src-ip 172.200.200.2/32
- config>filter>ip-filter>entry# action drop
- config>filter>ip-filter>entry# exit all
IPv6 filter:
- configure filter ipv6-filter 20 create
- config>filter>ipv6-filter# entry 10 create
- config>filter>ipv6-filter>entry# match src-ip 2001:acad:1234:200::2/128
- config>filter>ipv6-filter>entry# action drop
- config>filter>ipv6-filter>entry# exit all
Apply the filter to the interface:
- configure router interface "TO-PE2" ingress filter ip 10
- configure router interface "TO-PE2" ingress filter ipv6 20