Руководство По Проектированию для Cisco DNCS System Release 2.7 3.7 4.2
4000358 Rev B
Security Recommendations for the DBDS Network in a DOCSIS Environment
3-15
DBDS Network Security,
Continued
Data Path 3: Communication Between DBDS Private Network and End-User Devices
To implement the security recommendations for Data Path 3, the allocation of IP
addresses to cable modems and PC CPEs operating on HFC nodes within the DBDS
span of control should be within subnets distinct from DHCT CPE and all DBDS
private network subnets, as described in recommendation #10. This type of
allocation reduces the risk of data traffic from these devices entering the DBDS
private network.
The cable service provider must include in their access list the specific subnets and
The cable service provider must include in their access list the specific subnets and
port numbers that need to be filtered. A list of the ports specific to DBDS broadcast
traffic can be obtained from Cisco.
Cisco recommends the following security measures for Data Path 3.
# 140
Configure Router 1 to allow inbound IP traffic (from Router 2) destined to the DBDS
Cisco recommends the following security measures for Data Path 3.
# 140
Configure Router 1 to allow inbound IP traffic (from Router 2) destined to the DBDS
private network from only DHCT CPE subnets.
# 150
Background: Because access lists can affect performance, the cable service providers
# 150
Background: Because access lists can affect performance, the cable service providers
may choose to not implement Recommendation 150 if they implement
Recommendation 140, even though the filter is closer to the source of the traffic if it
is implemented on Router 2. However, according to the High-Level View of Data
Paths and Traffic Flows in the DBDS Network diagram, earlier in this section,
Router 1 is the gateway to the DBDS network and is an appropriate place to
implement all the security policies pertaining to the DBDS private network.
Recommendation: Configure the CMTS or Router 2 to allow inbound IP traffic
Recommendation: Configure the CMTS or Router 2 to allow inbound IP traffic
destined to the DBDS private network from only DHCT CPE subnets.
# 160
Configure Router 1 to deny IP traffic between:
•
# 160
Configure Router 1 to deny IP traffic between:
•
Registered integrated cable modems and the DBDS private network
•
Unregistered/Registered stand-alone cable modems and the DBDS private
network
•
Unsubscribed/Subscribed PC CPE and the DBDS private network