Cisco DNCS System Release 2.7 3.7 4.2 Designanleitung
3-12
Security Recommendations for the DBDS Network in a DOCSIS Environment
4000358 Rev B
DBDS Network Security,
Continued
# 60
Background: End-users may decide to forge their own DOCSIS configuration file
Background: End-users may decide to forge their own DOCSIS configuration file
that contains a higher level of service than what they paid for. The user may then use
a variety of means to have their cable modem download this forged DOCSIS
configuration file rather than the service provider’s version of the file to receive an
unauthorized level of service.
Recommendation: To reduce the risk of theft of service, take the following actions
Recommendation: To reduce the risk of theft of service, take the following actions
for CMTS:
•
•
Specify a CMTS authentication string in the DOCSIS configuration file for
integrated cable modems and stand-alone cable modems.
•
Configure the CMTS authentication string per cable interface with this command
(or other vendor-specific command): cable shared-secret <string>, where <string>
must be identical to the CMTS authentication string specified in the configuration
file.
Data Path 2: Communications Between End-User Devices
We recommend the following security measures for Data Path 2.
Note: Recommendations 70 and 90 apply to traffic across the same CMTS.
Note: Recommendations 70 and 90 apply to traffic across the same CMTS.
Recommendations 100 through 120 apply to traffic across different CMTSs.
# 70
Configure the CMTS to deny IP traffic among:
•
# 70
Configure the CMTS to deny IP traffic among:
•
Registered integrated cable modems and other remote registered integrated cable
modems
•
Registered integrated cable modems and unregistered/registered stand-alone
cable modems
•
Registered integrated cable modems and unsubscribed/subscribed PC CPEs
•
Registered integrated cable modems and DHCT CPE
•
Unregistered/registered stand-alone cable modems and DHCT CPE
•
DHCT CPE and other remote DHCT CPE
•
DHCT CPE and unsubscribed/subscribed PC CPE
# 80
Configure the CMTS to deny any inbound IP traffic from the cable interface with a
Configure the CMTS to deny any inbound IP traffic from the cable interface with a
source IP address within the DBDS IP address subnet ranges. This recommendation
reduces the risk of end users spoofing DBDS network elements in the HFC
environment across the same CMTS.