Cisco Systems 2.5 Enable Unicast RPF on Outside Interfaces, Enable Firewall on All of the Outside Interfaces

Chapter24 Security Audit

Fix It Page

24-22

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Enable Unicast RPF on Outside Interfaces

Security Audit enables unicast Reverse Path Forwarding (RPF) on all interfaces

that connect to the Internet whenever possible. RPF is a feature that causes the

router to check the source address of any packet against the interface through

which the packet entered the router. If the input interface is not a feasible path to

the source address according to the routing table, the packet will be dropped. This

source address verification is used to defeat IP spoofing.

This works only when routing is symmetric. If the network is designed in such a

way that traffic from host A to host B may normally take a different path than

traffic from host B to host A, the check will always fail, and communication

between the two hosts will be impossible. This sort of asymmetric routing is

common in the Internet core. Ensure that your network does no t use asymmetric

routing before enabling this feature.

In addition, unicast RPF can be enabled only when IP Cisco E xpress

Forwarding(CEF) is enabled. Security Audit will check the router configuration

to see if IP CEF is enabled. If IP CEF is not enabled, Security Audit will

recommend that IP CEF be enabled and will enable it if the recommendation is

approved. If IP CEF is not enabled, by Security Audit or otherwise, unicast RPF

will not be enabled.

To enable unicast RPF, the following configuration will be delivered to the router

for each interface that connects outside of the private network, replacing

<outside interface> with the interface identifier:

interface

ip verify unicast reverse-path

Enable Firewall on All of the Outside Interfaces

If the Cisco IOS image running on the router includes the Firewall feature set,

then Security Audit will enable Context-Based Access Control (CBAC) on the

router whenever possible. CBAC, a component of the Cisco IOS Firewall feature

set, filters packets based on application-layer information, such as what kinds of

commands are being executed within the session. For example, if a command that

is not supported is discovered in a session, the packet can be denied access.

CBAC enhances security for TCP and User Datagram Protocol (UDP)

applications that use well-known ports, such as port 80 for HTTP or port 443 for

Secure Sockets Layer (SSL). It does this by scrutinizing source and destination