Title

The RUCKUS ICX multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic. (Cat III impact)

Discussion

If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic. Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.

Check Content

Verify boundaries are established for administratively scoped multicast traffic: ip access-list standard MULTICAST_SCOPE sequence 10 deny 239.0.0.0 0.255.255.255 sequence 20 permit any ! interface ethernet 1/1/10 ip address x.12.1.10 255.255.255.0 ip pim-sparse ip pim neighbor-filter PIM_NEIGHBORS ip multicast-boundary MULTICAST_SCOPE ! If the multicast boundary is not established, this is a finding.

Fix Text

Establish a multicast boundary for administratively scoped multicast traffic: ip access-list standard MULTICAST_SCOPE sequence 10 deny 239.0.0.0 0.255.255.255 sequence 20 permit any ! interface ethernet 1/1/10 ip address x.12.1.10 255.255.255.0 ip pim-sparse ip pim neighbor-filter PIM_NEIGHBORS ip multicast-boundary MULTICAST_SCOPE !

Additional Identifiers

Rule ID: SV-273583r1110888_rule

Vulnerability ID: V-273583

Group Title: SRG-NET-000019-RTR-000005

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.