Руководство По Проектированию для Cisco DNCS System Release 2.7 3.7 4.2
3-20
Security Recommendations for the DBDS Network in a DOCSIS Environment
4000358 Rev B
DBDS Network Security,
Continued
Data Path 6: Communication Between the Internet and the Application Servers
Data Path 6 is implemented with the standard configuration of the Cisco DNCS. It is
assumed that the application servers communicate with specific servers on the
Internet on specific ports designated by the application vendor, and that the security
policies regarding this path are already in place on the cable service provider’s
network. Since the physical connectivity of those servers to the DBDS network is
server-specific, it is assumed (and is recommended, if not implemented as such
today) that those servers support two network interfaces. One interface handles
internal DBDS traffic, and the other handles Internet traffic. It is also assumed that
the application server vendor provides network address translation (NAT)
functionality through a proxy server for any bi-directional traffic from DHCT CPE to
the Internet.
# 340
You must configure the application servers that require access to the Internet with
# 340
You must configure the application servers that require access to the Internet with
support for two network interfaces. Configure one interface with a private IP
address for DBDS traffic, and configure the other interface with a public IP address
for Internet traffic.
# 350
Background: Recommendation 350 is the same as Recommendation 280, but is
# 350
Background: Recommendation 350 is the same as Recommendation 280, but is
repeated here specifically for the application servers.
Recommendation: Disable routing on all application servers that are multi-homed
Recommendation: Disable routing on all application servers that are multi-homed
(or have interfaces) to both the DBDS network and the cable service provider’s
network.
Data Path 7: Communication Between DBDS Network Elements and the Internet
# 360
Configure Router 3 or the cable service provider’s firewall to deny IP and ICMP
Configure Router 3 or the cable service provider’s firewall to deny IP and ICMP
traffic from any network element in the DBDS private network destined to the
Internet.
# 370
Configure Router 3 or the cable service provider’s firewall to deny any traffic from
# 370
Configure Router 3 or the cable service provider’s firewall to deny any traffic from
the Internet with a private source IP address. This recommendation reduces the risk
of any DBDS network element spoofing (DNCS, EMS, QPSK, QAM, BIG, and so
forth).
# 380
Configure Router 3 or the cable service provider’s firewall to deny IP and ICMP
# 380
Configure Router 3 or the cable service provider’s firewall to deny IP and ICMP
traffic coming from the Internet destined to any private IP address.