Check: NET2016
Network Infrastructure Policy STIG:
NET2016
(in versions v10 r6 through v9 r2)
Title
Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer. (Cat III impact)
Discussion
The last-hop router sends the multicast packet out the interface towards the LAN containing interested receivers. The default behavior for a Layer 2 switch is to forward all multicast traffic out every access switch port that belongs to the VLAN. IGMP snooping is a mechanism used by "Layer 3 aware" switches to maintain a Layer 2 multicast table by examining all IGMP join and leave messages (destined to the all router's multicast address 224.0.0.2) sent between hosts and the multicast routers on the LAN. This will enable the switch to only forward multicast packets out the access switch ports that have connected hosts that have subscribed to the multicast group, thereby reducing the load on the switching backplane as well as eliminating unwanted traffic to uninterested hosts.
Check Content
Review the access switches connected to multicast last-hop routers to determine if IGMP snooping is enabled. The following are switch configuration examples with IGMP snooping enabled globally and on a per-VLAN basis: Enable IGMP Snooping globally: ip igmp snooping Enable IGMP Snooping for VLAN: ip igmp snooping vlan 7 If any switches within the ICAN access layer do not have IGMP or MLD snooping enabled, this is a finding.
Fix Text
Configure the switch to implement IGMP or MLD snooping, ensuring multicast traffic for any given multicast group is forwarded to only those hosts that have joined the group.
Additional Identifiers
Rule ID: SV-251398r853659_rule
Vulnerability ID: V-251398
Group Title: NET2016
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001095 |
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. |
CCI-001549 |
The organization defines the information flow control policies for controlling the flow of information between interconnected systems. |
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
CCI-002415 |
The organization employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and/or business functions. |