Cisco DNCS System Release 2.7 3.7 4.2 设计指南
4000358 Rev B
Security Recommendations for the DBDS Network in a DOCSIS Environment
3-17
DBDS Network Security,
Continued
# 200
Configure Router 1 to deny any inbound IP traffic (from Router 2 or Router 3) with a
Configure Router 1 to deny any inbound IP traffic (from Router 2 or Router 3) with a
source IP address within the DBDS IP address subnet range. This recommendation
reduces the risk of end users spoofing the DBDS network elements in the cable
service provider’s IP network.
# 210
Background: The fewer programs, applications, and users that you allow on a host
# 210
Background: The fewer programs, applications, and users that you allow on a host
reduces the potential avenues that an attacker can use to compromise the host.
Keeping services on any server to a minimum makes it tougher for the attackers to
use that server as a springboard and therefore reduces the risk of other devices in the
network getting compromised. Cisco recommends that you remove any unneeded
programs, applications, users, and development tools from all DBDS servers.
Examples of common network services and their associated ports that should be
removed from any server unless absolutely required are DNS (53), FTP(21 and 20),
HTTP (80), HTTPS (443), SMTP (25), POP (110), TFTP (69), DHCP (67 and 68), TOD
(37), and telnet (23).
Recommendation: Remove any unnecessary programs, users, common network
Recommendation: Remove any unnecessary programs, users, common network
services, and associated ports from all DBDS network servers (for example, DNCS,
Application servers, EMS), and leave only those required. This recommendation
reduces the risk of vulnerability to attack on the DBDS.
# 220
If telnet is required on any DBDS network element, the cable service provider should
# 220
If telnet is required on any DBDS network element, the cable service provider should
allow outbound telnet connections from that network element, but deny any
inbound telnet connections unless authenticated.
# 230
Background: As a general policy, Router 1 should allow outbound ICMP messages
# 230
Background: As a general policy, Router 1 should allow outbound ICMP messages
from the DBNDS network and allow selected inbound ICMP traffic. In addition to
recommendations 230 through 260, you need to decide, based on your network
needs, which other ICMP packets you wish to allow or restrict on the DBDS
network.
Recommendation: Configure Router 1 to deny inbound ICMP redirect messages
Recommendation: Configure Router 1 to deny inbound ICMP redirect messages
from any source.