Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
1
Replies

Nessus Report STIG Compliance for CSR 1000V Router

tdeanesh
Cisco Employee
Cisco Employee

‎04-09-2016 03:01 AM - edited ‎03-05-2019 03:45 AM

Hi All,

  In order to be STIG (Security Technical Implementation Guide) Compliant we have used Nessus tool to generate the security report on CSR 1000V Router (Virtual Router) and we found the following issue

 Report stated the following point 

     NET0923 - IPv4 Loopback address is not blocked
 Info
    Group ID (Vulid): V-14689 Rule ID: SV-15384r1_rule Severity: CAT I The router administrator will restrict the premise router from accepting

    any inbound IP packets with a local host loop back address (127.0.0.0/8).Inbound spoofing occurs when someone outside the network uses

    an internal IP address to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data,

    passwords, etc., and use that information to perform destructive acts on or to the network.

 IA Controls: ECSC-1
 Audit File
  DISA_Perimeter_Router_Cisco.audit
 Policy Value
   access-list 3 deny +ip 127.0.0.0 0.255.255.255 any log

Below is the line of code implemented in the configuration file  of CSR 1000V Router

   access-list 3 deny 127.0.0.0 0.255.255.255 log

Even after implementing this line of code the report is still showing the error. Am I missing something here please let me know

Similar issues are being reported If one of the issues is root caused rest should follow the same pattern for resolution.

Thanks in Advance.

With Best Regards,

T.Deanesh

Labels:
0 Helpful
1 Reply 1

tdeanesh
Cisco Employee
Cisco Employee

‎04-11-2016 07:34 AM

Hi All,

   Here are the observations in qualifying the above defect

    First of all 

         access-list 3 deny +ip 127.0.0.0 0.255.255.255 any log

    Note:  *ip* option is not available in the standard ACL of CSR 1K Router.

     I have used the extended ACL > 100 e.g 150 to get the ip option

        access-list 150 deny +ip 127.0.0.0 0.255.255.255 any log

    This started working and the Nessus report stated passing.

     However the default value for Ingress ACL ID was populated by Nessus as 3.

     Need to be checked if ID 3 is valid in case of Physical Router.

     If value is OK for Physical Router then at least a note should be mentioned below the field to update appropriately for virtual router.

  However there are some defects whose resolution is still in progress.

  I will be updating the forum based on my findings which might be useful information for other folks who might traverse the path.

With Best Regards,

T.Deanesh

   

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card