Cisco DNCS System Release 2.7 3.7 4.2 Guia Do Desenho
3-16
Security Recommendations for the DBDS Network in a DOCSIS Environment
4000358 Rev B
DBDS Network Security,
Continued
# 170
Background: Any traffic destined to the DHCT CPE must originate from either the
Background: Any traffic destined to the DHCT CPE must originate from either the
DBDS network or the DHCP server. Router 2 or the CMTS should use source
address verification to reduce the risk of forwarding packets originating from other
than the trusted DBDS network.
Recommendation: Configure Router 2 or the CMTS to allow IP traffic originated
Recommendation: Configure Router 2 or the CMTS to allow IP traffic originated
from only the DBDS or the DHCP server and destined to the DHCT CPE subnets.
# 180
Background: A PC CPE connected to the Ethernet or USB port of a stand-alone
# 180
Background: A PC CPE connected to the Ethernet or USB port of a stand-alone
cable modem can spoof a valid DHCT MAC address and thereby obtain a legitimate
IP address from a DHCP server from the DHCT CPE IP address pool. Once the IP
address is obtained, the PC CPE can now access the DBDS network.
To reduce the risk of access to the DBDS network in such a scenario, the cable service
To reduce the risk of access to the DBDS network in such a scenario, the cable service
provider must add some specific filters in their deployed stand-alone cable modem
configuration file that would deny access from any source (behind the cable modem)
to the DBDS network. The cable service provider must carefully define the IP
address range of the DBDS network that will be denied in the configuration file.
Recommendation: The configuration file for the stand-alone cable modem should
Recommendation: The configuration file for the stand-alone cable modem should
contain filters that will specifically deny any traffic originated from the Ethernet or
USB interface destined to the DBDS network. This recommendation reduces the risk
of access to the DBDS network from any source behind a stand-alone cable modem.
# 190
Background: If a PC CPE behind an integrated cable modem is configured with a
# 190
Background: If a PC CPE behind an integrated cable modem is configured with a
valid DHCT CPE IP address, the PC CPE will have access to the DBDS network (if
the CMTS is not properly configured with cable source-verify (dhcp) option (or an
equivalent command from another vendor). In other words, a PC CPE can be
configured to spoof a DHCT CPE IP address. To reduce the risk of spoofing of the
DHCT CPE IP address behind the integrated cable modem, we recommend that you
follow the security measures in the following recommendation:
Recommendation: The docsDevIpFilterTable filter in the integrated cable modem
Recommendation: The docsDevIpFilterTable filter in the integrated cable modem
should be set to deny any traffic originated from the Ethernet or USB interface
destined for the DBDS network. This recommendation reduces the risk of access to
the DBDS network from a PC CPE configured with a valid DHCT CPE IP address (or
spoofing a DHCT CPE) behind an integrated cable modem.