3.1.4 Set 'ip verify unicast source reachable-via'

Information

Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode).

Enabled uRPF helps mitigate IP spoofing by ensuring only packet source IP addresses only originate from expected interfaces. Configure unicast reverse-path forwarding (uRPF) on all external or high risk interfaces.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure uRPF.

hostname(config)#interface {<em>interface_name</em>}
hostname(config-if)#ip verify unicast source reachable-via rx allow-default

Impact:

Organizations should plan and implement enterprise security policies that protect the confidentiality, integrity, and availability of network devices. The 'unicast Reverse-Path Forwarding' (uRPF) feature dynamically uses the router table to either accept or drop packets when arriving on an interface.

See Also

https://workbench.cisecurity.org/benchmarks/12917

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Cisco

Control ID: 07cb809f95c4aa02870ce1bb07a0ad0e860840bb6efb9a8b0912785352111aca