Title

The RUCKUS ICX perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems. (Cat III impact)

Discussion

If the static routes to the alternate gateway are being redistributed into an Exterior Gateway Protocol or Interior Gateway Protocol to a NIPRNet gateway, this could make traffic on NIPRNet flow to that particular router and not to the Internet Access Pointerface routers. This could not only wreak havoc with traffic flows on NIPRNet, but it could overwhelm the connection from the router to the NIPRNet gateway(s) and also cause traffic destined for outside of NIPRNet to bypass the defenses of the Internet Access Points.

Check Content

This requirement is not applicable for the DODIN Backbone. Review ICX router configuration for statements redistributing static routes into IGP or BGP: router bgp local-as 1001 neighbor x.4.4.4 remote-as 1000 redistribute static ! router ospf redistribute static ! If static routes with the alternate gateway service provider as the next hop exist and static routes are redistributed into an IGP or BGP (without a route-map filter), this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone. Create a prefix list to be used by route map to prevent static routes pointing to the alternate gateway service provider from being redistributed: ip prefix-list ISP_PREFIX permit 10.12.1.0/24 route-map FILTER_ISP_STATIC deny 10 match ip address prefix-list ISP_PREFIX route-map FILTER_ISP_STATIC permit 20 ! router ospf redistribute static route-map FILTER_ISP_STATIC !

Additional Identifiers

Rule ID: SV-273587r1111281_rule

Vulnerability ID: V-273587

Group Title: SRG-NET-000019-RTR-000010

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.