OpenControls Logo

STIG Viewer

The Dell OS10 Router must be configured to restrict traffic destined to itself.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-269872OS10-RTR-000380SV-269872r1052001_ruleCCI-001097high
Description
The route processor handles traffic destined to the router—the key component used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption or denial-of-service (DoS) attack to the route processor can result in mission critical network outages.
STIGDate
Dell OS10 Switch Router Security Technical Implementation Guide2024-12-11

Details

Check Text (C-269872r1052001_chk)

Review the access control list (ACL) or filter for the router receive path and verify that it will only process specific management plane and control plane traffic from specific sources. Step 1: Examine the interface configuration for the control plane ACLs applied to the traffic destined to the router control plane from the OOBM management port or front panel data ports. ! control-plane ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in ip access-group MGMT_TRAFFIC_FROM_DATA data in Step 2: Review the control plane ACLs verify traffic is limited appropriately. ! ip access-list MGMT_TRAFFIC_FROM_OOBM seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log ! ip access-list MGMT_TRAFFIC_FROM_DATA seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding.

Fix Text (F-73806r1052000_fix)

Configure the router with receive path filters to restrict traffic destined to the router. Step 1: Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM management port and from the front panel data ports. OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log Step 2: Apply the ACLs to the ingress of the control-plane. OS10(config)# control-plane OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in