Cisco OL-4015-08 Manual do Utilizador descarregar pdf (Página 38)

390

Cross-Platform Release Notes for Cisco IOS Release 12.0S

OL-1617-14 Rev. Q0

Caveats

Resolved Caveats—Cisco IOS Release 12.0(33)S6

It is possible to disable UDP processing in DLSw with the dlsw udp-disable command. However,

disabling UDP only prevents the sending of UDP packets; it does not prevent the device from

receiving and processing incoming UDP packets.

Workaround: The workaround consists of filtering UDP packets to port 2067 and IP protocol 91

packets. Filters can be applied at network boundaries to filter all IP protocol 91 packets and UDP

packets to port 2067, or filters can be applied on individual affected devices to permit such traffic

only from trusted peer IP addresses. However, since both of the protocols are connectionless, it is

possible for an attacker to spoof malformed packets from legitimate peer IP addresses.

As soon as DLSw is configured, the Cisco IOS device begins listening on IP protocol 91. However,

this protocol is used only if DLSw is configured for Fast Sequenced Transport (FST). A DLSw FST

peer configuration will contain the following line:

<cmd>dlsw remote-peer 0 fst <ip-address></cmd>

If FST is used, filtering IP protocol 91 will break the operation, so filters need to permit protocol 91

traffic from legitimate peer IP addresses.

It is possible to disable UDP processing in DLSw with the dlsw udp-disable command. However,

disabling UDP only prevents the sending of UDP packets; it does not prevent the receiving and

processing of incoming UDP packets. To protect a vulnerable device from malicious packets via

UDP port 2067, both of the following actions must be taken:

1. Disable UDP outgoing packets with the dlsw udp-disable command. And

2. Filter UDP 2067 in the vulnerable device using infrastructure ACL.

* Using Control Plane Policing on Affected Devices

Control Plane Policing (CoPP) can be used to block untrusted DLSw traffic to the device. Cisco IOS

software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may

be configured on a device to protect the management and control planes to minimize the risk and

effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to

infrastructure devices in accordance with existing security policies and configurations. The

following example, which uses 192.168.100.1 to represent a trusted host, can be adapted to your

network. If FST is not used, protocol 91 may be completely filtered. Additionally, if UDP is disabled

with the dlsw udp-disable command, UDP port 2067 may also be completely filtered.

!--- Deny DLSw traffic from trusted hosts to all IP addresses

!--- configured on all interfaces of the affected device so that

!--- it will be allowed by the CoPP feature.

access-list 111 deny udp host 192.168.100.1 any eq 2067

access-list 111 deny 91 host 192.168.100.1 any

!--- Permit all other DLSw traffic sent to all IP addresses

!--- configured on all interfaces of the affected device so that it

!--- will be policed and dropped by the CoPP feature.

access-list 111 permit udp any any eq 2067

access-list 111 permit 91 any any

!--- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4

!--- traffic in accordance with existing security policies and

!--- configurations for traffic that is authorized to be sent

!--- to infrastructure devices.

!--- Create a Class-Map for traffic to be policed by

!--- the CoPP feature.

class-map match-all drop-DLSw-class

match access-group 111

!--- Create a Policy-Map that will be applied to the

!--- Control-Plane of the device.

1 2 ... 33 34 35 36 37 38 39 40 41 42 43 ... 677 678

Comentários a estes Manuais

Sem comentários

Cisco OL-4015-08 Manual do Utilizador Página 38

Comentários a estes Manuais

Manuais e produtos relacionados com Redes Cisco OL-4015-08