Cisco OL-4015-08 Manual de usuario descargar pdf (Pagina 23)

375

Cross-Platform Release Notes for Cisco IOS Release 12.0S

OL-1617-14 Rev. Q0

Caveats

Resolved Caveats—Cisco IOS Release 12.0(33)S7

Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof

the sender’s IP address, which may defeat ACLs that permit communication to these ports from

trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better

mitigation solution.

Although it is often difficult to block traffic that transits a network, it is possible to identify traffic

that should never be allowed to target infrastructure devices and block that traffic at the border of

networks.

Infrastructure ACLs (iACLs) are a network security best practice and should be considered as a

long-term addition to good network security as well as a workaround for this specific vulnerability.

The iACL example below should be included as part of the deployed infrastructure access-list,

which will help protect all devices with IP addresses in the infrastructure IP address range:

! Feature: Network Time Protocol (NTP)

access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD

INFRASTRUCTURE_ADDRESSES WILDCARD eq 123

Note: If the router is acting as a NTP broadcast client via the interface command “ntp broadcast

client” then broadcast and directed broadcasts must be filtered as well. The following example

covers an infrastructure address space of 192.168.0.X.

access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD host 192.168.0.255

eq ntp access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD host

255.255.255.255 eq ntp

Note: If the router is acting as a NTP multicast client via the interface command “ntp multicast

client” then multicast IP packets to the multicast group must be filtered as well. The following

example covers a NTP multicast group of 239.0.0.1 (default is 224.0.1.1).

access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD host 239.0.0.1 eq ntp

! Deny NTP traffic from all other sources destined to infrastructure addresses.

access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES WILDCARD eq 123

! Permit/deny all other Layer 3 and Layer 4 traffic in accordance with existing security policies and

configurations. Permit all other traffic to transit the device.

access-list 150 permit ip any any

! Apply access-list to all interfaces (only one example shown).

interface fastEthernet 2/0 ip access-group 150 in

The white paper entitled “Protecting Your Core: Infrastructure Protection Access Control Lists”

presents guidelines and recommended deployment techniques for infrastructure protection access

lists and is available at the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.

shtml

* Control Plane Policing

Provided under Control Plane Policing there are two examples. The first aims at preventing the

injection of malicious traffic from untrusted sources, whilst the second looks at rate limiting NTP

traffic to the box.

- Filtering untrusted sources to the device.

Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof

the sender’s IP address, which may defeat ACLs that permit communication to these ports from

trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better

mitigation solution.

1 2 ... 18 19 20 21 22 23 24 25 26 27 28 ... 677 678

Comentarios a estos manuales

Sin comentarios

Cisco OL-4015-08 Manual de usuario Pagina 23

Comentarios a estos manuales

Relacionado con productos y manuales para Redes Cisco OL-4015-08