Cisco OL-4015-08 Bedienungsanleitung PDF herunterladen (Seite 39)

391

Cross-Platform Release Notes for Cisco IOS Release 12.0S

OL-1617-14 Rev. Q0

Caveats

Resolved Caveats—Cisco IOS Release 12.0(33)S6

policy-map drop-DLSw-traffic

class drop-DLSw-class

drop

!--- Apply the Policy-Map to the Control-Plane of the

!--- device.

control-plane

service-policy input drop-DLSw-traffic

In the above CoPP example, the access control entries (ACEs) that match the potential exploit

packets with the “permit” action result in these packets being discarded by the policy-map “drop”

function, while packets that match the “deny” action (not shown) are not affected by the policy-map

drop function. Please note that in the Cisco IOS 12.2S and 12.0S trains, the policy-map syntax is

different:

policy-map drop-DLSw-traffic

class drop-DLSw-class

police 32000 1500 1500 conform-action drop exceed-action drop

Additional information on the configuration and use of the CoPP feature is available at:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper

0900aecd804fa16a.html

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html

* Using Infrastructure ACLs at Network Boundary

Although it is often difficult to block traffic transiting your network, it is possible to identify traffic

that should never be allowed to target your infrastructure devices and block that traffic at the border

of your network. iACLs are a network security best practice and should be considered as a long-term

addition to good network security as well as a workaround for this specific vulnerability. The iACL

example shown below should be included as part of the deployed infrastructure access-list that will

protect all devices with IP addresses in the infrastructure IP address range. If FST is not used,

protocol 91 may be completely filtered. Additionally, if UDP is disabled with the dlsw udp-disable

command, UDP port 2067 may also be completely filtered.

!--- Permit DLSw (UDP port 2067 and IP protocol 91) packets

!--- from trusted hosts destined to infrastructure addresses.

access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2067

access-list 150 permit 91 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK

!--- Deny DLSw (UDP port 2067 and IP protocol 91) packets from

!--- all other sources destined to infrastructure addresses.

access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2067

access-list 150 deny 91 any INFRASTRUCTURE_ADDRESSES MASK

!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance

!--- with existing security policies and configurations.

!--- Permit all other traffic to transit the device.

access-list 150 permit ip any any

interface serial 2/0

ip access-group 150 in

The white paper entitled “Protecting Your Core: Infrastructure Protection Access Control Lists”

presents guidelines and recommended deployment techniques for infrastructure protection access

lists. This white paper can be obtained at the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper

09186a00801a1a55.shtml

Further Problem Description: This vulnerability occurs on multiple events to be exploited. It is

medium complexity in order to exploit and has never been seen in customers environment.

1 2 ... 34 35 36 37 38 39 40 41 42 43 44 ... 677 678

Kommentare zu diesen Handbüchern

Keine Kommentare

Cisco OL-4015-08 Bedienungsanleitung Seite 39

Kommentare zu diesen Handbüchern

Verwandte Produkte und Handbücher für Vernetzung Cisco OL-4015-08