2.4 Ensure DHCP services are disabled for untrusted interfaces

Information

Disables the DHCP service

Rationale:

The ASA can act as a DHCP or DHCP Relay server. However, on untrusted interface, attacker can get the opportunity of the availability of the service to perform DoS attacks such as DHCP starvation that will exhaust not only the IP addresses' space but also the memory and CPU resources of the security appliance and bring it down.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Step 1: Acquire the name of the untrusted interface <untrusted_interface_name>

Step 2: Run the following command to disable DHCP service on the untrusted interface

hostname(config)# no dhcpd enable <untrusted_interface_name>

Step 3: Run the following command to disable DHCP Relay service on the untrusted interface

hostname(config)# no dhcprelay enable <untrusted_interface_name>

Default Value:

Disabled by default

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6, 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, 800-53|SC-23, CSCv7|11.1

Plugin: Cisco

Control ID: 614b4c698c5e47d3a39c9e962bcf2e24fc201b5918517cf335a8d3ff78881a03