The perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-269861	SRG-NET-000019-RTR-000009	OS10-RTR-000180	SV-269861r1052431_rule	2024-12-11	1

Description
ISPs use BGP to share route information with other autonomous systems (i.e., other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRnet routes could be advertised to the ISP; thereby creating a backdoor connection from the internet to the NIPRnet.

ℹ️ Check
This requirement is not applicable for the DODIN Backbone. Review the configuration of the router connecting to the alternate gateway. Verify there are no BGP neighbors configured to the remote AS that belongs to the alternate gateway service provider. OS10# show running-configuration bgp ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast ... ! neighbor 120.100.5.2 ! address-family ipv6 unicast ... ! ... If there are BGP neighbors connecting the remote AS of the alternate gateway service provider, this is a finding.

ℹ️ Check

This requirement is not applicable for the DODIN Backbone. Review the configuration of the router connecting to the alternate gateway. Verify there are no BGP neighbors configured to the remote AS that belongs to the alternate gateway service provider. OS10# show running-configuration bgp ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast ... ! neighbor 120.100.5.2 ! address-family ipv6 unicast ... ! ... If there are BGP neighbors connecting the remote AS of the alternate gateway service provider, this is a finding.

✔️ Fix
This requirement is not applicable for the DODIN Backbone. Configure the router such that there are no BGP neighbors configured to the remote AS that belongs to the alternate gateway service provider. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# no neighbor 120.100.5.2