Ensure DHCP services are disabled for untrusted interfaces - dhcprelay

Information

Disables the DHCP service

Rationale:

The Firepower can act as a DHCP or DHCP Relay server. However, on untrusted interface, attacker can get the opportunity of the availability of the service to perform DoS attacks such as DHCP starvation that will exhaust not only the IP addresses' space but also the memory and CPU resources of the security appliance and bring it down.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

DHCP Relay can be configured through the Firepower Management Center:

Step 1 - Choose Devices > Device Management, and edit the FTD device.
Step 2 - Select DHCP > DHCP Relay.

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/ftd/FTD_Hardening_Guide_v64.html

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Cisco_Firepower

Control ID: 3cca9d01f4a6cb95f2f36c67714375be65f70992c4d051abc8ca93db4de0b261