Detections
Analytics

NET0966 - Control plan protection is not enabled - 'inbound ACL option'

Information

The router must have control plane protection enabled.

 The Route Processor (RP) is critical to all network operations as it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Hence, any disruption to the RP or the control and management planes can result in mission critical network outages.

 In addition to control plane and management plane traffic that is in the router's receive path, the RP must also handle other traffic that must be punted to the RP-that is, the traffic must be fast or process switched. This is the result of packets that must be fragmented, require an ICMP response (TTL expiration, unreachable, etc.) have IP options, etc. A DoS attack targeting the RP can be perpetrated either inadvertently or maliciously involving high rates of punted traffic resulting in excessive RP CPU and memory utilization. To maintain network stability, the router must be able to securely handle specific control plane and management plane traffic that is destined to it, as well as other punted traffic.

 Using the ingress filter on forwarding interfaces is a method that has been used in the past to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grow. Control plane policing can be used to increase security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.

 NOTE: This check requires manual verification in the event that neither CoPP nor the ip receive path acl feature are supported. An inbound ACL should be configured to the guidance documentation. If CoPP is in place and properly configured this check can be ignored.
 NOTE: If the Management Plane Protection (MPP) feature is enabled for an OOBM interface, there would be no purpose in filtering this traffic on the receive path. With MPP enabled, no interfaces except the management interface will accept network management traffic destined to the device. This feature also provides the capability to restrict which management protocols are allowed. See NET0992 for additional configuration information.
 NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Implement control plane protection by classifying traffic types based on importance levels and configure filters to restrict and rate limit the traffic punted to the route processor as according to each class.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Infrastructure_Router_L3_Switch_V8R28_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-21167r2_rule, STIG-ID|NET0966, Vuln-ID|V-19188

Plugin: Cisco

Control ID: 442d826e2d0056b20aab5f838afd7b823a8d95bb2575afc14624c76df1ef71c0