An error occurred:

Check: RCKS-RTR-000760

RUCKUS ICX Router STIG: RCKS-RTR-000760 (in version v1 r1)

Title

The RUCKUS ICX perimeter router must be configured to block inbound packets with source Bogon IP address prefixes. (Cat II impact)

Discussion

Bogons include IP packets on the public internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional internet registry (RIR) and allowed for public Internet use. Bogons also include multicast, IETF reserved, and special purpose address space as defined in RFC 6890. Security of the internet's routing system relies on the ability to authenticate an assertion of unique control of an address block. Measures to authenticate such assertions rely on the validation the address block forms as part of an existing allocated address block and must be a trustable and unique reference in the IANA address registries. The intended use of a Bogon address would only be for the purpose of address spoofing in denial-of-service attacks. Hence, it is imperative that IP packets with a source Bogon address are blocked at the network's perimeter.

Check Content

This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that an ingress Access Control List (ACL) applied to all external interfaces is blocking packets with Bogon source addresses. 1. Verify an ACL has been configured containing the current Bogon prefixes as shown in the example below: ip access-list extended FILTER_PERIMETER sequence 10 deny ip 0.0.0.0 0.255.255.255 any log sequence 20 deny ip 10.0.0.0 0.255.255.255 any log sequence 30 deny ip 100.64.0.0 0.63.255.255 any log sequence 40 deny ip 127.0.0.0 0.255.255.255 any log sequence 50 deny ip 169.254.0.0 0.0.255.255 any log sequence 60 deny ip 172.16.0.0 0.15.255.255 any log sequence 70 deny ip 192.0.0.0 0.0.0.255 any log sequence 80 deny ip 192.0.2.0 0.0.0.255 any log sequence 90 deny ip 192.168.0.0 0.0.255.255 any log sequence 100 deny ip 192.18.0.0 0.1.255.255 any log sequence 110 deny ip 192.51.100.0 0.0.0.255 any log sequence 120 deny ip 203.0.113.0 0.0.0.255 any log sequence 130 deny ip 224.0.0.0 31.255.255.255 any log sequence 140 permit tcp any any established sequence 150 permit tcp host x.0.1.2 host x.0.1.1 eq bgp sequence 160 permit tcp host x.0.1.1 eq bgp host x.0.1.2 sequence 170 permit icmp host x.0.1.2 host x.0.1.1 echo sequence 180 permit icmp host x.0.1.1 host x.0.1.2 echo-reply ... sequence 190 deny ip any any log 2. Verify the inbound ACL applied to all external interfaces will block all traffic from Bogon source addresses. interface ethernet 1/1/1 port-name link_to_DISN ip access-group FILTER_PERIMETER in logging enable ! If the router is not configured to block inbound packets with source Bogon IP address prefixes, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone. Review the configuration to verify the command below is not present: 1. Configure an ACL containing the current Bogon prefixes as shown below: ICX(config)#ip access-list ext FILTER_PERIMETER ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 0.0.0.0/8 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 10.0.0.0/8 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 100.64.0.0/10 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 127.0.0.0/8 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 169.254.0.0/16 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 172.16.0.0/12 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 192.0.0.0/24 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 192.0.2.0/24 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 192.168.0.0/16 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 192.18.0.0/15 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 192.51.100.0/24 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 203.0.113.0/24 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 224.0.0.0/3 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#permit tcp any any established ICX(config-ext-ipacl-FILTER_PERIMETER)#permit tcp host x.0.1.2 host x.0.1.1 eq bgp ICX(config-ext-ipacl-FILTER_PERIMETER)#permit tcp host x.0.1.1 eq bgp host x.0.1.2 ICX(config-ext-ipacl-FILTER_PERIMETER)#permit icmp host x.0.1.2 host x.0.1.1 echo ICX(config-ext-ipacl-FILTER_PERIMETER)#permit icmp host x.0.1.1 host x.0.1.2 echo-reply ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip any any log 2. Apply the ACL inbound on all external interfaces. ICX(config)#interface ethernet x/x/x ICX(config-if-e10000-x/x/x)#ip access-group FILTER_PERIMETER in logging enable

Additional Identifiers

Rule ID: SV-273643r1111037_rule

Vulnerability ID: V-273643

Group Title: SRG-NET-000364-RTR-000110

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002403

Only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7(11)

Restrict Incoming Communications Traffic