04-09-2016 03:01 AM - edited 03-05-2019 03:45 AM
Hi All,
In order to be STIG (Security Technical Implementation Guide) Compliant we have used Nessus tool to generate the security report on CSR 1000V Router (Virtual Router) and we found the following issue
Report stated the following point
NET0923 - IPv4 Loopback address is not blocked
Info
Group ID (Vulid): V-14689 Rule ID: SV-15384r1_rule Severity: CAT I The router administrator will restrict the premise router from accepting
any inbound IP packets with a local host loop back address (127.0.0.0/8).Inbound spoofing occurs when someone outside the network uses
an internal IP address to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data,
passwords, etc., and use that information to perform destructive acts on or to the network.
IA Controls: ECSC-1
Audit File
DISA_Perimeter_Router_Cisco.audit
Policy Value
access-list 3 deny +ip 127.0.0.0 0.255.255.255 any log
Below is the line of code implemented in the configuration file of CSR 1000V Router
access-list 3 deny 127.0.0.0 0.255.255.255 log
Even after implementing this line of code the report is still showing the error. Am I missing something here please let me know
Similar issues are being reported If one of the issues is root caused rest should follow the same pattern for resolution.
Thanks in Advance.
With Best Regards,
T.Deanesh
04-11-2016 07:34 AM
Hi All,
Here are the observations in qualifying the above defect
First of all
access-list 3 deny +ip 127.0.0.0 0.255.255.255 any log
Note: *ip* option is not available in the standard ACL of CSR 1K Router.
I have used the extended ACL > 100 e.g 150 to get the ip option
access-list 150 deny +ip 127.0.0.0 0.255.255.255 any log
This started working and the Nessus report stated passing.
However the default value for Ingress ACL ID was populated by Nessus as 3.
Need to be checked if ID 3 is valid in case of Physical Router.
If value is OK for Physical Router then at least a note should be mentioned below the field to update appropriately for virtual router.
However there are some defects whose resolution is still in progress.
I will be updating the forum based on my findings which might be useful information for other folks who might traverse the path.
With Best Regards,
T.Deanesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide