Cisco DNCS System Release 2.2 3.2 Guia Do Desenho
3-18
Security Recommendations for the DBDS Network in a DOCSIS Environment
4000358 Rev B
DBDS Network Security,
Continued
# 240
Configure Router 1 to allow outbound ICMP echo request messages from the DBDS
Configure Router 1 to allow outbound ICMP echo request messages from the DBDS
network.
# 250
Configure Router 1 to deny any inbound ICMP echo requests messages from any
# 250
Configure Router 1 to deny any inbound ICMP echo requests messages from any
source. This recommendation reduces the risk of ping floods toward the DBDS
network.
# 260
Configure Router 1 to allow inbound ICMP echo reply messages only from DHCT
# 260
Configure Router 1 to allow inbound ICMP echo reply messages only from DHCT
CPE subnets.
# 270
Background: An attacker inside the cable service provider’s network may send a
# 270
Background: An attacker inside the cable service provider’s network may send a
spoofed ICMP echo request packet (using any valid DBDS network element IP
address) with a directed broadcast address (in this case a valid DHCT subnet, which
is being used as a smurf reflector) as the destination and the victim’s address as the
source. This type of attack can cause unwitting accomplices to flood the victim. To
reduce the risk of such attacks, Router 2 or the CMTS should be configured to not
forward any IP directed broadcast traffic out of any interface. The command “no ip
directed-broadcast” prevents a router from responding to ping packets that are
addressed to the broadcast address.
Recommendation: Configure Router 2 or the CMTS on all interfaces with the
Recommendation: Configure Router 2 or the CMTS on all interfaces with the
command no ip directed-broadcast (or equivalent vendor-specific command). This
recommendation reduces the risk of smurf attacks on the DBDS private network.
# 280
Disable routing on all DBDS servers (for example, Application server and EMS) that
# 280
Disable routing on all DBDS servers (for example, Application server and EMS) that
are multi-homed (or have interfaces) on both the DBDS network and on the cable
service provider’s IP network.
Data Path 4: Communication Between Cable Service Provider Servers and Internet Service Provider
Servers
It is assumed that security policies are already in place between the cable service
provider’s servers and the Internet service provider servers. Therefore, security
measures for these servers are outside the scope this guide. If the cable service
provider is the Internet service provider for the end-user, then Data Path 4 does not
exist.