3.2.2 Set inbound 'ip access-group' on the External Interface

Information

This command places the router in access-list configuration mode, where you must define the denied or permitted access conditions by using the deny and permit commands.

Rationale:

Configuring access controls can help prevent spoofing attacks. To reduce the effectiveness of IP spoofing, configure access control to deny any traffic from the external network that has a source address that should reside on the internal network. Include local host address or any reserved private addresses (RFC 1918).

Ensure the permit rule(s) above the final deny rule only allow traffic according to your organization's least privilege policy.

Impact:

Organizations should plan and implement enterprise security policies explicitly permitting and denying access based upon access lists. Using the 'ip access-group' command enforces these policies by explicitly identifying groups permitted access.

Solution

Apply the access-group for the external (untrusted) interface

hostname(config)#interface {external_interface}
hostname(config-if)#ip access-group {name | number} in

Default Value:

No access-group defined

See Also

https://workbench.cisecurity.org/files/3829

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6, 800-53|CM-7, 800-53|SC-23, CSCv7|11

Plugin: Cisco

Control ID: 446b3919ff67e64895f8a51016f1351a35f5aeecd38d76c31bc80f17116b4d04