The Nokia perimeter router must be configured to deny network traffic by default and allow network traffic by exception.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283913 | NOKI-RT-001030 | SV-283913r1203988_rule | CCI-001109 | high |
| Description | ||||
| A deny-all, permit-by-exception network communications traffic policy ensures that only connections that are essential and approved are allowed. This requirement applies to both inbound and outbound network communications traffic. All inbound and outbound traffic must be denied by default. Firewalls and perimeter routers should only allow traffic through that is explicitly permitted. The initial defense for the internal network is to block any traffic at the perimeter that is attempting to make a connection to a host residing on the internal network. In addition, allowing unknown or undesirable outbound traffic by the firewall or router will establish a state that will permit the return of this undesirable traffic inbound. Satisfies: SRG-NET-000202-RTR-000001, SRG-NET-000019-RTR-000002 | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Router Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283913r1203988_chk)
This requirement is not applicable for the DODIN Backbone.
Review the router configuration to verify the access control list (ACL) or filter is configured to allow specific ports and protocols and deny all other traffic.
Verify the IPv4 filter is applied on the interface using the command below:
- show router interface "TO-PE2" detail | match "Ingress Filter"
Egress Filter : none Ingress Filter : 30
If the filter is not configured to allow specific ports and protocols and deny all other traffic, this is a finding.
If the filter is not configured inbound on all external interfaces, this is a finding.
Fix Text (F-88383r1203987_fix)
Configure the Nokia router to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy, as shown in the example below:
Create an IPv4 filter:
- configure filter ip-filter 30 create
- config>filter>ip-filter$ entry 10 create
- config>filter>ip-filter>entry$ match protocol "tcp"
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter>entry$ exit
- config>filter>ip-filter$ entry 20 create
- config>filter>ip-filter>entry$ match protocol "tcp"
- config>filter>ip-filter>entry>match$ src-ip 10.12.1.9/32
- config>filter>ip-filter>entry>match$ dst-ip 10.12.1.10/30
- config>filter>ip-filter>entry>match$ dst-port 179 eq
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter>entry$ exit
- config>filter>ip-filter$ entry 30 create
- config>filter>ip-filter>entry$ match protocol "tcp"
- config>filter>ip-filter>entry>match$ src-ip 10.12.1.9/32
- config>filter>ip-filter>entry>match$ dst-ip 10.12.1.10/32
- config>filter>ip-filter>entry>match$ src-port 179 eq
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter>entry$ exit
- config>filter>ip-filter$ entry 40 create
- config>filter>ip-filter>entry$ match protocol "icmp"
- config>filter>ip-filter>entry>match$ src-ip 10.12.1.9/32
- config>filter>ip-filter>entry>match$ dst-ip 10.12.1.10/32
- config>filter>ip-filter>entry>match$ icmp-type "echo-request"
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter>entry$ exit
- config>filter>ip-filter$ entry 50 create
- config>filter>ip-filter>entry$ match protocol "icmp"
- config>filter>ip-filter>entry>match$ src-ip 10.12.1.9/32
- config>filter>ip-filter>entry>match$ dst-ip 10.12.1.10/32
- config>filter>ip-filter>entry>match$ icmp-type "echo-reply"
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter>entry$ exit
- config>filter>ip-filter$ entry 60 create
- config>filter>ip-filter>entry$ match protocol "tcp"
- config>filter>ip-filter>entry>match$ dst-ip 10.12.1.22/32
- config>filter>ip-filter>entry>match$ dst-port 80 eq
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter>entry$ exit
- config>filter>ip-filter$ default-action drop
- config>filter>ip-filter$ exit all
Apply the IPv4 filter on the interface:
- configure router interface "TO-PE2" ingress filter ip 30