The Dell OS10 Router must be configured to restrict traffic destined to itself.

An XCCDF Rule

Description

The route processor handles traffic destined to the router—the key component used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption or denial-of-service (DoS) attack to the route processor can result in mission critical network outages.

ID: SV-269872r1052001_rule
Version: OS10-RTR-000380
Severity: High
References: CCI-001097
Updated: about 2 months ago

Remediation Templates

Configure the router with receive path filters to restrict traffic destined to the router.

Step 1: Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM management port and from the front panel data ports. 

OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM
OS10(config-ipv4-acl)# permit ...OS10(config-ipv4-acl)# permit ...
OS10(config-ipv4-acl)# deny ... log
OS10(config-ipv4-acl)# deny ... log

OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA
OS10(config-ipv4-acl)# permit ...
OS10(config-ipv4-acl)# permit ...
OS10(config-ipv4-acl)# deny ... log
OS10(config-ipv4-acl)# deny ... log

Step 2: Apply the ACLs to the ingress of the control-plane.

OS10(config)# control-plane
OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in
OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in

The Dell OS10 Router must be configured to restrict traffic destined to itself.

Description

Remediation Templates

A Manual Procedure