Title

The RUCKUS ICX router must be configured to restrict traffic destined to itself. (Cat I impact)

Discussion

The route processor handles traffic destined to the router, the key component used to build forwarding paths, and is instrumental with all network management functions. Hence, any disruption or denial-of-service (DoS) attack to the route processor can result in mission critical network outages.

Check Content

Review the external and internal Access Control Lists (ACLs) to verify the router is configured to only allow specific management and control plane traffic from specific sources destined to itself (addresses and protocols may vary). 1. Review the access lists. ip access-list extended EXT-ACL sequence 10 permit tcp host x.11.1.1 eq bgp host x.11.1.2 sequence 20 permit tcp host x.11.1.1 host x.11.1.2 eq bgp sequence 30 permit icmp host x.11.1.1 host x.11.1.2 echo sequence 40 permit icmp host x.11.1.1 host x.11.1.2 echo-reply sequence 50 deny ip host x.11.1.1 host x.11.1.2 log permit … … … … deny ip any any log ! ip access-list extended INT-ACL sequence 10 permit icmp any any sequence 20 permit ospf host 10.1.12.1 host 10.1.12.2 sequence 30 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ssh sequence 40 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq radius sequence 50 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq snmp sequence 60 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ntp sequence 70 deny ip any host 10.1.12.2 log permit … … … … deny ip any any log ! 2. Verify ACLs are applied to desired interfaces. interface ethernet x/x/x ip address x.11.1.2/31 ip access-group EXT-ACL in logging enable ! interface ethernet x/x/x ip address 10.1.12.2 255.255.255.0 ip access-group INT-ACL in logging enable If the router is not configured to restrict traffic destined to itself, this is a finding.

Fix Text

Configure all routers with receive path filters to restrict traffic destined to the router. 1. Create ACLs for external and internal interfaces in accordance with site security policy (addresses and protocols may vary). ICX(config)#ip access-list ext EXT-ACL ICX(config-ext-ipacl-EXT-ACL)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 ICX(config-ext-ipacl-EXT-ACL)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp ICX(config-ext-ipacl-EXT-ACL)#permit icmp host x.11.1.1 host x.11.1.2 echo ICX(config-ext-ipacl-EXT-ACL)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply ICX(config-ext-ipacl-EXT-ACL)#deny ip host x.11.1.1 host x.11.1.2 log ICX(config-ext-ipacl-EXT-ACL)#exit ICX(config)#ip access-list ext INT-ACL ICX(config-ext-ipacl-INT-ACL)#permit icmp any any ICX(config-ext-ipacl-INT-ACL)#permit ospf host 10.1.12.1 host 10.1.12.2 ICX(config-ext-ipacl-INT-ACL)#permit tcp 10.2.1.0/24 host 10.1.12.2 eq 22 ICX(config-ext-ipacl-INT-ACL)#permit tcp 10.2.1.0/24 host 10.1.12.2 eq radius ICX(config-ext-ipacl-INT-ACL)#permit udp 10.2.1.0/24 host 10.1.12.2 eq snmp ICX(config-ext-ipacl-INT-ACL)#permit udp 10.2.1.0/24 host 10.1.12.2 eq ntp ICX(config-ext-ipacl-INT-ACL)#deny ip any host 10.1.12.2 log 2. Apply ACLs to appropriate interfaces. ICX(config)# interface ethernet x/x/x ICX(config-if-e1000-x/x/x)#ip access-group EXT-ACL in logging enable ICX(config-if-e1000-x/x/x)# interface ethernet y/y/y ICX(config-if-e1000-y/y/y)#ip access-group INT-ACL in logging enable

Additional Identifiers

Rule ID: SV-273605r1110875_rule

Vulnerability ID: V-273605

Group Title: SRG-NET-000205-RTR-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.