STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Router Security Technical Implementation Guide

V-283881

CAT II (Medium)

The Nokia router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.

Rule ID

SV-283881r1203892_rule

STIG

Nokia Service Router OS 25.x Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001368

Discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, and firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).

Check Content

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to verify access control lists (ACLs) and filters are configured to allow or deny traffic for specific source and destination addresses as well as ports and protocols.

Verify the IPv4 filter is applied on the interface using the command below: 

- show router interface "TO-PE2" detail | match "Ingress Filter"

Egress Filter    : none                 Ingress Filter    : 20

If the router is not configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone.

Configure a filter to allow or deny traffic for specific source and destination addresses as well as ports and protocols, as shown in the example below: 

Create a port list:

- configure filter match-list port-list Filter-Server-Port-list create
- config>filter>match-list>port-list$ port 515
- config>filter>match-list>port-list$ port 631
- config>filter>match-list>port-list$ port 9100
- config>filter>match-list>port-list$ exit

Create an IPv4 filter:

- configure filter ip-filter 20 create
- config>filter>ip-filter$ entry 10 create
- config>filter>ip-filter>entry$ match protocol "tcp"
- config>filter>ip-filter>entry>match$ dst-ip 10.23.1.0/24
- config>filter>ip-filter>entry>match$ dst-port port-list "Filter-Server-Port-list"
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter$ entry 20 create
- config>filter>ip-filter>entry$ match protocol "tcp"
- config>filter>ip-filter>entry>match$ dst-ip 10.23.2.0/24
- config>filter>ip-filter>entry>match$ dst-port port-list "Filter-Server-Port-list"
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter$ entry 30 create
- config>filter>ip-filter>entry$ match protocol "icmp"
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter>entry$ exit
- config>filter>ip-filter$ entry 40 create
- config>filter>ip-filter>entry$ match protocol "ospf-igp"
- config>filter>ip-filter>entry>match$ exit
- config>filter>ip-filter>entry$ action forward
- config>filter>ip-filter>entry$ exit
- config>filter>ip-filter$ default-action drop
- config>filter>ip-filter$ exit all

Apply the IPv4 filter on the interface:

- configure router interface "TO-PE2" ingress filter ip 20