3.7 Ensure 'ip verify' is set to 'reverse-path' for untrusted interfaces

Information

Enables the unicast Reverse-Path Forwarding (uRPF) on untrusted interfaces.

Rationale:

The unicast Reverse-Path Forwarding(uRPF) enabled on an interface ensures that for a packet received on an interface, the security appliance checks the routing table to make sure that the same interface is used to get back to the source IP address. If it is not the case, the packet will be dropped. This should be enabled by default on untrusted interfaces in order to prevent attackers from spoofing internal IP addresses. For the other internal interfaces, the uRPF should be enabled if there is no case of asymmetric routing for which the path to send a packet to the source IP address is different of the path from which the packet is received.

Solution

Step 1: Acquire the name of the untrusted interface <interface_name>

Step 2: Run the following command to enable protection against IP spoofing

hostname(config)# ip verify reverse-path interface <interface_name>

Default Value:

Disabled by default

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: 66765c6d90abc9f28ed86ab9f20cf8b530b82a71cc85c9d6e9fb1cd361149fe0