3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This command places the router in access-list configuration mode, where you must define the denied or permitted access conditions by using the deny and permit commands.

Rationale:

Configuring access controls can help prevent spoofing attacks. To reduce the effectiveness of IP spoofing, configure access control to deny any traffic from the external network that has a source address that should reside on the internal network. Include local host address or any reserved private addresses (RFC 1918).

Ensure the permitrule(s) above the final denyrule only allow traffic according to your organization's least privilege policy.

Solution

Configure ACL for private source address restrictions from external networks.


hostname(config)#ip access-list extended {<span>name | number}
</span><span>hostname(config-nacl)#deny ip {</span>internal_networks} any log
hostname(config<span>-nacl</span>)#deny ip 127.0.0.0 0.255.255.255 any log
hostname(config<span>-nacl</span>)#deny ip 10.0.0.0 0.255.255.255 any log
hostname(config<span>-nacl</span>)#deny ip 0.0.0.0 0.255.255.255 any log
hostname(config<span>-nacl</span>)#deny ip 172.16.0.0 0.15.255.255 any log
hostname(config<span>-nacl</span>)#deny ip 192.168.0.0 0.0.255.255 any log
hostname(config<span>-nacl</span>)#deny ip 192.0.2.0 0.0.0.255 any log
hostname(config<span>-nacl</span>)#deny ip 169.254.0.0 0.0.255.255 any log
hostname(config<span>-nacl</span>)#deny ip 224.0.0.0 31.255.255.255 any log
hostname(config<span>-nacl</span>)#deny ip host 255.255.255.255 any log
hostname(config<span>-nacl</span>)#permit {protocol} {source_ip} {source_mask} {destination} {destination_mask} log
hostname(config<span>-nacl</span>)#deny any any log
hostname(config)#interface <external_interface>
hostname(config-if)#access-group <access-list> in


Impact:

Organizations should plan and implement enterprise security policies that explicitly separate internal from external networks. Adding 'ip access-list' explicitly permitting and denying internal and external networks enforces these policies.

Default Value:

No access list defined

References:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i1.html#GUID-BD76E065-8EAC-4B32-AF25-04BA94DD2B11

See Also

https://workbench.cisecurity.org/files/2585

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CSCv6|11

Plugin: Cisco

Control ID: 603c5c7296584f6648c67bac88e04eb73f4aebf3b164b59d9f314fafe8be2bcb