STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated just now
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to RUCKUS ICX Router Security Technical Implementation Guide

V-273585

CAT I (High)

The RUCKUS ICX perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.

Rule ID

SV-273585r1111051_rule

STIG

RUCKUS ICX Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001414

Discussion

Enclaves with alternate gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Without verifying the destination address of traffic coming from the site's alternate gateway, the perimeter router could be routing transit data from the internet into the NIPRNet. This could also make the perimeter router vulnerable to a denial-of-service (DoS) attack as well as provide a back door into the NIPRNet. The DOD enclave must ensure the ingress filter applied to external interfaces on a perimeter router connecting to an Approved Gateway is secure through filters permitting packets with a destination address belonging to the DOD enclave's address block.

Check Content

This requirement is not applicable for the DODIN Backbone.

Review the configuration of each router interface connecting to an alternate gateway.

1. Verify an ACL exists to allow only desired traffic (example includes SSL hosts).
ip access-list extended FILTER_ISP
 sequence 10 permit tcp any any established
 sequence 20 permit icmp host x.12.1.16 host x.12.1.17 echo
 sequence 30 permit icmp host x.12.1.16 host x.12.1.17 echo-reply
 sequence 40 permit tcp any host x.12.1.22 eq ssl
 sequence 50 permit tcp any host x.12.1.23 eq ssl
 sequence 60 permit esp any host x.12.1.24
 sequence 70 permit ahp any host x.12.1.24
 sequence 80 deny ip any any log
!

2. Check that ACL is applied to alternative gateway interface.
interface ethernet 1/1/10
 ip address x.12.1.10 255.255.255.0
 ip access-group FILTER_ISP in
!

If the alternative gateway interface is not configured with an ACL permitting only the destination addresses in the sites address space, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone. 

Configure the ingress filter of the perimeter router connected to an alternate gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider.

1. Configure an ACL that exists to allow only desired traffic (example includes SSL hosts).
ip access-list extended FILTER_ISP
 sequence 10 permit tcp any any established
 sequence 20 permit icmp host x.12.1.16 host x.12.1.17 echo
 sequence 30 permit icmp host x.12.1.16 host x.12.1.17 echo-reply
 sequence 40 permit tcp any host x.12.1.22 eq ssl
 sequence 50 permit tcp any host x.12.1.23 eq ssl
 sequence 60 permit esp any host x.12.1.24
 sequence 70 permit ahp any host x.12.1.24
 sequence 80 deny ip any any log
!

2. Apply the ACL to alternative gateway interface.
interface ethernet 1/1/10
 ip address x.12.1.10 255.255.255.0
 ip access-group FILTER_ISP in
!