An error occurred:

Check: RCKS-L2S-000130

RUCKUS ICX Layer 2 Switch STIG: RCKS-L2S-000130 (in version v1 r1)

Title

The RUCKUS ICX switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources. (Cat II impact)

Discussion

In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host ports and unknown DHCP servers are considered untrusted sources. An unknown DHCP server on the network on an untrusted port is called a spurious DHCP server, any device (PC, Wireless Access Point) loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the port a DHCP server is connected to and not trust the other ports. The DHCP snooping feature validates DHCP messages received from untrusted sources and filters out invalid messages as well as rate-limits DHCP traffic from trusted and untrusted sources. DHCP snooping feature builds and maintains a binding database, which contains information about untrusted hosts with leased IP addresses, and it uses the database to validate subsequent requests from untrusted hosts. Other security features, such as IP Source Guard and Dynamic Address Resolution Protocol (ARP) Inspection (DAI), also use information stored in the DHCP snooping binding database. Hence, it is imperative that the DHCP snooping feature is enabled on all VLANs.

Check Content

Review switch configuration for DHCP snooping on all user VLANs. ! ip dhcp snooping vlan 100 ! interface ethernet x/x/x port-name toward_dhcp_srvr dhcp snooping trust If DHCP Snooping is not configured on user VLANs to validate DHCP messages from untrusted sources, this is a finding.

Fix Text

Configure the switch to have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources. 1. Configure user VLANs for DHCP snooping. ICX#configure terminal ICX(config)#ip dhcp snooping vlan 100 to 101 150 2. Configure port(s) to be trusted. ICX(config)# interface ethernet x/x/x ICX(config-if-e1000-x/x/x) dhcp snooping trust

Additional Identifiers

Rule ID: SV-273681r1111008_rule

Vulnerability ID: V-273681

Group Title: SRG-NET-000362-L2S-000025

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

Protect against or limit the effects of organization-defined types of denial-of-service events.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial of Service Protection