From Perimeter L3 Switch Security Technical Implementation Guide - Cisco
Part of IPv4 Bogon and Martian addresses are not blocked.
Associated with IA controls: ECSC-1
This type of IP address spoofing occurs when someone outside the network uses an address that should not be routed or has not been officially assigned to an ISP for use by the RIR to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data, passwords, etc., and use that information to perform destructive acts on or to the network.
External Interfaces peering with NIPRNet or SIPRNet: Review the inbound ACLs on external facing interfaces of perimeter devices attached to the NIPR or SIPR to validate access control lists are configured to block, deny, or drop inbound IP addresses using RFC5735 and RFC6598. Examples of address space specified in RFC5735 and RFC6598: 0.0.0.0 255.0.0.0 100.64.0.0 255.192.0.0 192.0.0.0 255.255.255.0 192.0.2.0 255.255.255.0 198.18.0.0 255.254.0.0 198.51.100.0 255.255.255.0 203.0.113.0 255.255.255.0 224.0.0.0 240.0.0.0 240.0.0.0 240.0.0.0 External Interfaces peering with commercial ISPs or other non-DoD network sources: Review the inbound ACLs on external facing interfaces of perimeter devices to validate access control lists are configured to block, deny, or drop inbound IP addresses specified in both RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a full bogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly. If RFC5735 and RFC 6598 address space isn't blocked on the external interface, this is a finding.
Configure inbound ACLs on external facing interfaces of perimeter devices peering with NIPRNet or SIPRNet to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598. Configure inbound ACLs on external facing interfaces of perimeter devices peering with commercial ISPs or other non-DoD networks to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a fullbogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly. http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer