3.2.5 Disable IP Source-Routing

Information

A malicious actor can influence the path that their traffic should take using source-routing. Disabling this on the NX-OS platform disables this feature for all transit traffic.

Solution

switch(config)# no ip source-route

Impact:

Source Routing can be used to influence the path taken by attack traffic, potentially routing around devices that implement network protections that might detect or prevent the attack being "steered" using source routing.

See Also

https://workbench.cisecurity.org/benchmarks/16139

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, 800-53|SC-7, CSCv7|9

Plugin: Cisco

Control ID: 72a78ca3a4b5ace66ee7959c699822654117d0cbab52a947ec757f3c926038ee