STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated just now
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to RUCKUS ICX Router Security Technical Implementation Guide

V-273607

CAT II (Medium)

The RUCKUS ICX perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DOD Instruction 8551.1.

Rule ID

SV-273607r1110919_rule

STIG

RUCKUS ICX Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001097

Discussion

Vulnerability assessments must be reviewed by the system administrator, and protocols must be approved by the information assurance (IA) staff before entering the enclave. Access control lists (ACLs) are the first line of defense in a layered security approach. They permit authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the network by not allowing packets to reach a potential target within the security domain. The lists provided are highly susceptible ports and services that should be blocked or limited as much as possible without adversely affecting customer requirements. Auditing packets attempting to penetrate the network but that are stopped by an ACL will allow network administrators to broaden their protective ring and more tightly define the scope of operation. If the perimeter is in a Deny-by-Default posture and what is allowed through the filter is in accordance with DOD Instruction 8551.1, and if the permit rule is explicitly defined with explicit ports and protocols allowed, then all requirements related to PPS being blocked would be satisfied.

Check Content

Review the external and internal Access Control Lists (ACLs) to verify the router is configured to filter traffic destined to the enclave in accordance with the guidelines contained in DOD Instruction 8551.1.

If the router does not filter traffic in accordance with the guidelines contained in DOD 8551, this is a finding.

Fix Text

Configure the router to use ingress ACLs to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1 for all services and protocols required for operational commitments.

1. Create ACLs for external and internal interfaces in accordance with site security policy (addresses and protocols may vary).
ICX(config)#ip access-list ext EXT-ACL
ICX(config-ext-ipacl-EXT-ACL)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
ICX(config-ext-ipacl-EXT-ACL)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp
ICX(config-ext-ipacl-EXT-ACL)#permit icmp host x.11.1.1 host x.11.1.2 echo
ICX(config-ext-ipacl-EXT-ACL)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply
...
(IAW DOD INST 8551.1)
...
ICX(config-ext-ipacl-EXT-ACL)#deny ip host x.11.1.1 host x.11.1.2 log
ICX(config-ext-ipacl-EXT-ACL)#exit

ICX(config)#ip access-list ext INT-ACL
ICX(config-ext-ipacl-INT-ACL)#permit icmp any any
ICX(config-ext-ipacl-INT-ACL)#permit ospf host 10.1.12.1 host 10.1.12.2
ICX(config-ext-ipacl-INT-ACL)#permit tcp 10.2.1.0/24 host 10.1.12.2 eq 22
ICX(config-ext-ipacl-INT-ACL)#permit tcp 10.2.1.0/24 host 10.1.12.2 eq radius
ICX(config-ext-ipacl-INT-ACL)#permit udp 10.2.1.0/24 host 10.1.12.2 eq snmp
ICX(config-ext-ipacl-INT-ACL)#permit udp 10.2.1.0/24 host 10.1.12.2 eq ntp
ICX(config-ext-ipacl-INT-ACL)#deny ip any host 10.1.12.2 log

2. Apply ACLs to appropriate interfaces.
ICX(config)# interface ethernet x/x/x
ICX(config-if-e1000-x/x/x)#ip access-group EXT-ACL in logging enable
ICX(config-if-e1000-x/x/x)# interface ethernet y/y/y
ICX(config-if-e1000-y/y/y)#ip access-group INT-ACL in logging enable