STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated just now
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to RUCKUS ICX Router Security Technical Implementation Guide

V-273569

CAT II (Medium)

The RUCKUS ICX router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.

Rule ID

SV-273569r1110905_rule

STIG

RUCKUS ICX Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001368

Discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, and firewalls) that employ rule sets or establish how configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).

Check Content

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to verify that access control lists (ACLs) and filters are configured to allow or deny traffic for specific source and destination addresses as well as ports and protocols. 

In this example, SSL traffic is permitted to a specific internal host.  

interface ethernet 1/1/10
 port-name Link_to_DISN
 ip address x.12.1.10 255.255.255.0
 ip access-group Filter_Perimeter in
!
ip access-list extended Filter_Perimeter
 sequence 10 permit tcp any any established
 sequence 20 permit tcp host x.12.1.9 host x.12.1.10 eq bgp
 sequence 30 permit tcp host x.12.1.9 eq bgp host x.12.1.10
 sequence 40 permit icmp host x.12.1.9 host x.12.1.10 echo
 sequence 50 permit icmp host x.12.1.9 host x.12.1.10 echo-reply
 sequence 60 permit tcp any host x.12.1.22 eq ssl
 sequence 70 deny ip any any log

If the router is not configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone.

Configure ACLs and filters to allow or deny traffic for specific source and destination addresses as well as ports and protocols.

1. Configure access-list filter to control flow of information between interconnected networks in accordance with appliable policy. In this example, SSL traffic is permitted to a specific internal host.  
ip access-list extended Filter_Perimeter
 sequence 10 permit tcp any any established
 sequence 20 permit tcp host x.12.1.9 host x.12.1.10 eq bgp
 sequence 30 permit tcp host x.12.1.9 eq bgp host x.12.1.10
 sequence 40 permit icmp host x.12.1.9 host x.12.1.10 echo
 sequence 50 permit icmp host x.12.1.9 host x.12.1.10 echo-reply
 sequence 60 permit tcp any host x.12.1.22 eq ssl
 sequence 70 deny ip any any log

2. Apply access list to external interface.
interface ethernet 1/1/10
 port-name Link_to_DISN
 ip address x.12.1.10 255.255.255.0
 ip access-group Filter_Perimeter in
!