Cisco DNCS System Release 2.7 3.7 4.2 Design Guide
4000358 Rev B
Security Recommendations for the DBDS Network in a DOCSIS Environment
3-19
DBDS Network Security,
Continued
Data Path 5: Communication Between Cable Modems, CPEs, and the Internet
# 290
Configure Router 3 to deny any regular traffic and broadcast traffic originating from
Configure Router 3 to deny any regular traffic and broadcast traffic originating from
the Internet to any cable modem or to any CPE with a private destination IP address.
# 300
Background: After an end-user has subscribed to an Internet service provider, the
# 300
Background: After an end-user has subscribed to an Internet service provider, the
PC CPE is assigned a public IP address that allows the user to access the Internet.
Recommendation: Configure Router 3 or the cable service provider’s firewall to
Recommendation: Configure Router 3 or the cable service provider’s firewall to
allow IP traffic from the subscribed PC CPE public IP address subnet to the Internet.
# 310
Background: This recommendation reduces the risk of any spoofing of the stand-
# 310
Background: This recommendation reduces the risk of any spoofing of the stand-
alone cable modem, integrated cable modem, DHCT CPE, Unsubscribed/
Subscribed PC CPE, and DOCSIS servers.
Recommendation: Configure Router 3 or the cable service provider’s firewall to
Recommendation: Configure Router 3 or the cable service provider’s firewall to
deny any traffic from the Internet with the following components:
•
•
A private IP source address
•
Any IP source address within the public Internet service provider address range
reserved to the Internet service provider PC CPE customers
# 320
Configure Router 3 or the cable service provider’s firewall to deny IP and ICMP
Configure Router 3 or the cable service provider’s firewall to deny IP and ICMP
traffic from the HFC network (integrated cable modem, stand-alone cable modem,
Unsubscribed PC CPE, or DHCT CPE) with a private source IP address destined to
the Internet.
# 330
Cable service providers must carefully manage the bandwidth that they allocate
# 330
Cable service providers must carefully manage the bandwidth that they allocate
(using integrated cable modem configuration files) to high speed data customers
connected to DHCTs. This recommendation reduces the risk of traffic flooding that
could impair core DHCT functionality.