From Router Security Requirements Guide
Part of SRG-NET-000205-RTR-000001
Associated with: CCI-001097
The router must be able to securely handle specific control plane and management plane traffic that is destined to it. Using the ingress filter on forwarding interfaces is a method that has been used in the past to filter both forwarding path and receive path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Applying a small and manageable filter directly on the router’s receive path to restrict this traffic is considered an industry best practice.
Review the access control list (ACL) or filter for the router receive path and verify that it will only process specific management plane and control plane traffic from specific sources. If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding. Note: If the platform does not support the receive path filter, verify that all Layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.
Configure all routers with receive path filters to restrict traffic destined to the router.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer