Title

The RUCKUS ICX router must be configured to log all packets that have been dropped. (Cat III impact)

Discussion

Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack or identify a configuration mistake on the device.

Check Content

Check ACL deny statements for log keywords and that logging is enabled on applicable bindings: ICX# show ip access Block_host_v4 Extended IP access list Block_host_v4: 3 entries 10: permit ipv6 any any 20: deny ip host 192.168.10.253 any log 30: permit ip any any ICX# show running-config vlan 10 ... ip access-group Block_host_v4 in ethernet 1/3/1 logging enable If ACL deny statements lack the log keyword or logging is not enabled in the "ip access-group..." command, this is a finding.

Fix Text

Configure ACL deny statements to include "log" and verify logging is enabled where the ACL is applied: ip access-list extended Block_host_v4 sequence 10 permit ipv6 any any sequence 20 deny ip host 192.168.10.253 any log sequence 30 permit ip any any ! vlan 10 by port tagged ethernet x/x/x untagged ethernet y/y/y ip access-group Block_host_v4 in ethernet 1/3/1 logging enable

Additional Identifiers

Rule ID: SV-273594r1110893_rule

Vulnerability ID: V-273594

Group Title: SRG-NET-000078-RTR-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.