The perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-207114 | SRG-NET-000019-RTR-000009 | SV-207114r604135_rule | CCI-001414 | high |
| Description | ||||
| ISPs use BGP to share route information with other autonomous systems (i.e. other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRnet routes could be advertised to the ISP; thereby creating a backdoor connection from the Internet to the NIPRnet. | ||||
| STIG | Date | |||
| Router Security Requirements Guide | 2024-05-28 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-4
1.00
- DISA · 5 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.3
1.00
- DISA · 5 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001414
1.00
- DISA · 5 · disa_xccdf · related
Details
Check Text (C-207114r604135_chk)
This requirement is not applicable for the DoDIN Backbone.
Review the configuration of the router connecting to the alternate gateway.
Verify there are no BGP neighbors configured to the remote AS that belongs to the alternate gateway service provider.
If there are BGP neighbors connecting the remote AS of the alternate gateway service provider, this is a finding.
Fix Text (F-7375r382236_fix)
This requirement is not applicable for the DoDIN Backbone.
Configure a static route on the perimeter router to reach the AS of a router connecting to an alternate gateway.