Title

The RUCKUS ICX PE router must be configured to block any traffic destined to IP core infrastructure. (Cat I impact)

Discussion

IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial-of-service (DoS) attacks and intrusions as layer 2 networks. Although the IP core network elements are hidden, security should never rely entirely on obscurity. IP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from any attack is vital for the integrity and privacy of customer traffic as well as the availability of transit services. A compromise of the IP core can result in an outage or, at a minimum, nonoptimized forwarding of customer traffic. Protecting the core from an outside attack also prevents attackers from using the core to attack any customer. Hence, it is imperative that all routers at the edge deny traffic destined to any address belonging to the IP core infrastructure.

Check Content

Review the router configuration to verify an ingress ACL is applied to all CE-facing interfaces and verify the ingress ACL rejects and logs packets destined to the IP core address block. 1. Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces. interface ethernet 1/1/1 ip address x.1.1.2/30 ip access-group BLOCK_TO_CORE in logging enable ! 2. Verify the ingress ACL discards and logs packets destined to the IP core address space. ip access-list extended BLOCK_TO_CORE sequence 10 deny ip any 10.x.0.0 0.0.255.255 log remark permit other traffic sequence 20 permit ip any any ! If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Fix Text

Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure. 1. Configure an ingress ACL to discard and log packets destined to the IP core address space. ICX(config)#ip access-list ext BLOCK_TO_CORE ICX(config-ext-ipacl-BLOCK_TO_CORE)#deny ip any 10.x.0.0/16 log ICX(config-ext-ipacl-BLOCK_TO_CORE)#remark permit other traffic ICX(config-ext-ipacl-BLOCK_TO_CORE)#permit ip any any 2. Apply the ACL inbound to all external or CE-facing interfaces. ICX(config)#interface ethernet 1/1/1 ICX(config-if-e10000-1/1/1)#port-name CE_port ICX(config-if-e10000-1/1/1)#ip access-group BLOCK_TO_CORE in logging enable

Additional Identifiers

Rule ID: SV-273611r1110876_rule

Vulnerability ID: V-273611

Group Title: SRG-NET-000205-RTR-000007

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.