################################################################################
DOCUMENT         : Cisco_IOS_Router_NDM_STIG
VERSION          : 003.006.004
CHECKSUM         : 8b72873070e3e5649ce907d82a2ef4d3689488c35c0986bdeab766bfbfc47107
MANUAL QUESTIONS : 6

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 6
TITLE            : CAT I, V-220137, SV-220137r961863, SRG-APP-000516-NDM-000351
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:8501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:8501
RULE             : The Cisco router must be running an IOS release that is currently supported by Cisco Systems.
QUESTION_TEXT    : Verify that the router is in compliance with this requirement by having the router administrator enter the following command: 

show version

Verify that the release is still supported by Cisco. All releases supported by Cisco can be found on the following URL:

www.cisco.com/c/en/us/support/ios-nx-os-software

If the router is not running a supported release, this is a finding.

References:
SV-105325
V-96187
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 6
TITLE            : CAT II, V-215673, SV-215673r960897, SRG-APP-000097-NDM-000227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:2101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:2101
RULE             : The Cisco router must produce audit records containing information to establish where the events occurred.
QUESTION_TEXT    : Review the deny statements in all interface ACLs to determine if the log-input parameter has been configured as shown in the example below.
NOTE: log-input can only apply to interface bound ACLs.

ip access-list extended BLOCK_INBOUND
 deny  icmp any any log-input

If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.

References:
SV-105181
V-96043
CCI-000132
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 6
TITLE            : CAT II, V-215696, SV-215696r961506, SRG-APP-000395-NDM-000310
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:5901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:5901
RULE             : The Cisco router must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
QUESTION_TEXT    : Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below.

snmp-server group V3GROUP v3 auth read V3READ write V3WRITE 
snmp-server view V3READ iso included
snmp-server view V3WRITE iso included
snmp-server host x.x.x.x version 3 auth V3USER

Authentication used by the SNMP users can be viewed via the show snmp user command as shown in the example below.

R4#show snmp user

User name: V3USER
Engine ID: 800000090300C2042B540000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: None
Group-name: V3GROUP

If the Cisco router is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.

References:
SV-105273
V-96135
CCI-001967
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 6
TITLE            : CAT II, V-215697, SV-215697r961506, SRG-APP-000395-NDM-000310
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:6101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:6101
RULE             : The Cisco router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
QUESTION_TEXT    : Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below.

snmp-server group V3GROUP v3 priv read V3READ write V3WRITE
snmp-server view V3READ iso included
snmp-server view V3WRITE iso included
snmp-server host x.x.x.x version 3 auth V3USER

Encryption used by the SNMP users can be viewed via the show snmp user command as shown in the example below.

R4#show snmp user

User name: V3USER
Engine ID: 800000090300C2042B540000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: V3GROUP

If the Cisco router is not configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm, this is a finding.

References:
SV-105275
V-96137
CCI-000068
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 6
TITLE            : CAT II, V-215701, SV-215701r961620, SRG-APP-000435-NDM-000315
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:6901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:6901
RULE             : The Cisco router must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
QUESTION_TEXT    : Review the Cisco router configuration to verify that it is compliant with this requirement. 

Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration: 

class-map match-all CoPP_CRITICAL 
match access-group name CoPP_CRITICAL 
class-map match-any CoPP_IMPORTANT 
match access-group name CoPP_IMPORTANT 
match protocol arp 
class-map match-all CoPP_NORMAL 
match access-group name CoPP_NORMAL 
class-map match-any CoPP_UNDESIRABLE 
match access-group name CoPP_UNDESIRABLE 
class-map match-all CoPP_DEFAULT 
match access-group name CoPP_DEFAULT 

Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration: 

ip access-list extended CoPP_CRITICAL 
remark our control plane adjacencies are critical 
permit ospf host [OSPF neighbor A] any 
permit ospf host [OSPF neighbor B] any 
permit pim host [PIM neighbor A] any 
permit pim host [PIM neighbor B] any 
permit pim host [RP addr] any 
permit igmp any 224.0.0.0 15.255.255.255 
permit tcp host [BGP neighbor] eq bgp host [local BGP addr] 
permit tcp host [BGP neighbor] host [local BGP addr] eq bgp 
deny ip any any 

ip access-list extended CoPP_IMPORTANT 
permit tcp host [TACACS server] eq tacacs any 
permit tcp [management subnet] 0.0.0.255 any eq 22 
permit udp host [SNMP manager] any eq snmp 
permit udp host [NTP server] eq ntp any 
deny ip any any 

ip access-list extended CoPP_NORMAL 
remark we will want to rate limit ICMP traffic 
permit icmp any any echo 
permit icmp any any echo-reply 
permit icmp any any time-exceeded 
permit icmp any any unreachable 
deny ip any any 

ip access-list extended CoPP_UNDESIRABLE 
remark other management plane traffic that should not be received 
permit udp any any eq ntp 
permit udp any any eq snmp
permit tcp any any eq 22 
permit tcp any any eq 23 
remark other control plane traffic not configured on router 
permit eigrp any any 
permit udp any any eq rip 
deny ip any any 

ip access-list extended CoPP_DEFAULT 
permit ip any any 

Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command. 

Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration: 

policy-map CONTROL_PLANE_POLICY 
class CoPP_CRITICAL 
police 512000 8000 conform-action transmit exceed-action transmit 
class CoPP_IMPORTANT 
police 256000 4000 conform-action transmit exceed-action drop 
class CoPP_NORMAL 
police 128000 2000 conform-action transmit exceed-action drop 
class CoPP_UNDESIRABLE 
police 8000 1000 conform-action drop exceed-action drop 
class CoPP_DEFAULT
police 64000 1000 conform-action transmit exceed-action drop 

Step 4: Verify that the CoPP policy is enabled. The following is an example configuration: 

control-plane 
service-policy input CONTROL_PLANE_POLICY 

Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category.

If the Cisco router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.

References:
SV-105287
V-96149
CCI-002385
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 6
TITLE            : CAT II, V-215711, SV-215711r991834, SRG-APP-000516-NDM-000344
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:8101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:8101
RULE             : The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
QUESTION_TEXT    : Review the router configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the router has enrolled with. Verify this is a DOD or DOD-approved CA. This will ensure the router has enrolled and received a certificate from a trusted CA. The CA trust point configuration would look similar to the example below.

crypto pki trustpoint CA_X
 enrollment url http://trustpoint1.example.com

Note: A remote end-point's certificate will always be validated by the router by verifying the signature of the CA on the certificate using the CA's public key, which is contained in the router's certificate it received at enrollment.

Note: This requirement is not applicable if the router does not have any public key certificates.

If the Cisco router is not configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

References:
SV-105319
V-96181
CCI-001159
CCI-004909
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

