The Cisco IOS XE router must enforce that Interior Gateway Protocol instances configured on the out-of-band management gateway router only peer with their own routing domain.
The Cisco IOS XE router must encrypt all methods of configured authentication for routing protocols. Additionally, unrestricted traffic may transit a network, which uses bandwidth. Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. The Cisco IOS XE router must only allow incoming communications from authorized sources to be routed to authorized destinations. The perimeter defense has no oversight or control of. The Cisco IOS XE router must be configured to disable non-essential capabilities.Ī compromised router introduces risk to the entire network infrastructure as well as data resources that are accessible via the network.
This diverted traffic could be analyzed to.
#CISCO IOS XE UPDATE#
The Cisco IOS XE router must enable neighbor router authentication for control plane protocols.Ī rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. The Cisco IOS XE router must be configured so that any key used for authenticating Interior Gateway Protocol peers does not have a duration exceeding 180 days. This is a common practice in "botnets", which are a collection of. The Cisco IOS XE router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.Ī compromised host in an enclave can be used by a malicious actor as a platform to launch cyber attacks on third parties. Unauthorized personnel with access to the communication facility could. The Cisco IOS XE router must be configured so inactive interfaces are disabled.Īn inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel.Īdministrative scoped multicast addresses are. The Cisco IOS XE router must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic. Without verifying the destination address of traffic. The Cisco IOS XE router must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.Įnclaves with Alternate Gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Findings (MAC III - Administrative Sensitive) Finding ID