The Nokia router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283881 | NOKI-RT-000630 | SV-283881r1203892_rule | CCI-001368 | medium |
| Description | ||||
| Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, and firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Router Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283881r1203892_chk)
This requirement is not applicable for the DODIN Backbone.
Review the router configuration to verify access control lists (ACLs) and filters are configured to allow or deny traffic for specific source and destination addresses as well as ports and protocols.
Verify the IPv4 filter is applied on the interface using the command below:
- show router interface "TO-PE2" detail | match "Ingress Filter"
Egress Filter : none Ingress Filter : 20
If the router is not configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.
Fix Text (F-88351r1203891_fix)
This requirement is not applicable for the DODIN Backbone.
Configure a filter to allow or deny traffic for specific source and destination addresses as well as ports and protocols, as shown in the example below:
Create a port list:
- configure filter match-list port-list Filter-Server-Port-list create
- config>filter>match-list>port-list$ port 515
- config>filter>match-list>port-list$ port 631
- config>filter>match-list>port-list$ port 9100
- config>filter>match-list>port-list$ exit
Create an IPv4 filter:
- configure filter ip-filter 20 create
- config>filter>ip-filter$ entry 10 create
- config>filter>ip-filter>entry$ match protocol "tcp"
- config>filter>ip-filter>entry>match$ dst-ip 10.23.1.0/24
- config>filter>ip-filter>entry>match$ dst-port port-list "Filter-Server-Port-list"
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter$ entry 20 create
- config>filter>ip-filter>entry$ match protocol "tcp"
- config>filter>ip-filter>entry>match$ dst-ip 10.23.2.0/24
- config>filter>ip-filter>entry>match$ dst-port port-list "Filter-Server-Port-list"
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter$ entry 30 create
- config>filter>ip-filter>entry$ match protocol "icmp"
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter>entry$ exit
- config>filter>ip-filter$ entry 40 create
- config>filter>ip-filter>entry$ match protocol "ospf-igp"
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter>entry$ exit
- config>filter>ip-filter$ default-action drop
- config>filter>ip-filter$ exit all
Apply the IPv4 filter on the interface:
- configure router interface "TO-PE2" ingress filter ip 20