Cisco OL-4015-08 Manual de usuario descargar pdf (Pagina 129)

100

101

481

Cross-Platform Release Notes for Cisco IOS Release 12.0S

OL-1617-14 Rev. Q0

Caveats

Resolved Caveats—Cisco IOS Release 12.0(32)S15

For additional information on NTP access control groups, consult the document titled “Performing

Basic System Management” at the following link:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage.html#

wp1034942

* Infrastructure Access Control Lists

Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof

the sender’s IP address, which may defeat ACLs that permit communication to these ports from

trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better

mitigation solution.

Although it is often difficult to block traffic that transits a network, it is possible to identify traffic

that should never be allowed to target infrastructure devices and block that traffic at the border of

networks.

Infrastructure ACLs (iACLs) are a network security best practice and should be considered as a

long-term addition to good network security as well as a workaround for this specific vulnerability.

The iACL example below should be included as part of the deployed infrastructure access-list,

which will help protect all devices with IP addresses in the infrastructure IP address range:

!---

!--- Feature: Network Time Protocol (NTP)

!---

access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD

INFRASTRUCTURE_ADDRESSES WILDCARD eq 123

!--- Note: If the router is acting as a NTP broadcast client

!--- via the interface command "ntp broadcast client"

!--- then broadcast and directed broadcasts must be

!--- filtered as well. The following example covers

!--- an infrastructure address space of 192.168.0.X

access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD

host 192.168.0.255 eq ntp

access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD

host 255.255.255.255 eq ntp

!--- Note: If the router is acting as a NTP multicast client

!--- via the interface command "ntp multicast client"

!--- then multicast IP packets to the mutlicast group must

!--- be filtered as well. The following example covers

!--- a NTP multicast group of 239.0.0.1 (Default is

!--- 224.0.1.1)

access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD

host 239.0.0.1 eq ntp

!--- Deny NTP traffic from all other sources destined

1 2 ... 124 125 126 127 128 129 130 131 132 133 134 ... 677 678

Comentarios a estos manuales

Sin comentarios

Cisco OL-4015-08 Manual de usuario Pagina 129

Comentarios a estos manuales

Relacionado con productos y manuales para Redes Cisco OL-4015-08