Chapter24 Security Audit
Fix It Page
24-22
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Enable Unicast RPF on Outside Interfaces
Security Audit enables unicast Reverse Path Forwarding (RPF) on all interfaces
that connect to the Internet whenever possible. RPF is a feature that causes the
router to check the source address of any packet against the interface through
which the packet entered the router. If the input interface is not a feasible path to
the source address according to the routing table, the packet will be dropped. This
source address verification is used to defeat IP spoofing.
This works only when routing is symmetric. If the network is designed in such a
way that traffic from host A to host B may normally take a different path than
traffic from host B to host A, the check will always fail, and communication
between the two hosts will be impossible. This sort of asymmetric routing is
common in the Internet core. Ensure that your network does no t use asymmetric
routing before enabling this feature.
In addition, unicast RPF can be enabled only when IP Cisco E xpress
Forwarding(CEF) is enabled. Security Audit will check the router configuration
to see if IP CEF is enabled. If IP CEF is not enabled, Security Audit will
recommend that IP CEF be enabled and will enable it if the recommendation is
approved. If IP CEF is not enabled, by Security Audit or otherwise, unicast RPF
will not be enabled.
To enable unicast RPF, the following configuration will be delivered to the router
for each interface that connects outside of the private network, replacing
<outside interface> with the interface identifier:
interface
<outside interface>
ip verify unicast reverse-path
Enable Firewall on All of the Outside Interfaces
If the Cisco IOS image running on the router includes the Firewall feature set,
then Security Audit will enable Context-Based Access Control (CBAC) on the
router whenever possible. CBAC, a component of the Cisco IOS Firewall feature
set, filters packets based on application-layer information, such as what kinds of
commands are being executed within the session. For example, if a command that
is not supported is discovered in a session, the packet can be denied access.
CBAC enhances security for TCP and User Datagram Protocol (UDP)
applications that use well-known ports, such as port 80 for HTTP or port 443 for
Secure Sockets Layer (SSL). It does this by scrutinizing source and destination