An error occurred:

Check: SRG-NET-000205-RTR-000001

Router SRG: SRG-NET-000205-RTR-000001 (in versions v5 r1 through v4 r1)

Title

The router must be configured to restrict traffic destined to itself. (Cat I impact)

Discussion

The route processor handles traffic destined to the router—the key component used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption or DoS attack to the route processor can result in mission critical network outages.

Check Content

Review the access control list (ACL) or filter for the router receive path and verify that it will only process specific management plane and control plane traffic from specific sources. If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding. Note: If the platform does not support the receive path filter, verify that all Layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.

Fix Text

Configure all routers with receive path filters to restrict traffic destined to the router.

Additional Identifiers

Rule ID: SV-207133r604135_rule

Vulnerability ID: V-207133

Group Title: SRG-NET-000205

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001097

Monitor and control communications at the external managed interfaces to the system and at key managed interfaces within the system.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7

Boundary Protection