|
|
|
|
 |
|
Router
Security Configuration Guide Supplement - Security for IPv6 Routers
|
Name |
Router Security Configuration Guide Supplement – Security for IPv6 Routers |
| Version
|
v1.0 |
|
Status |
Final |
| Creation
Date |
2006-07 |
| Revision
Date |
2006-05-23 |
| Product
Category |
Network
Router |
| Vendor |
Cisco
Systems |
| Product |
Cisco
Internetwork Operating System 12.3 through 12.4T (12.3, 12.3T, 12.4, 12.4T) |
| Product
Version |
12.3 through 12.4T (12.3, 12.3T, 12.4, 12.4T) |
| Product
Role |
IPv6 Border or Gateway Router |
|
Checklist
Summary |
This document is a supplement to the NSA Router Security Configuration Guide (RSCG) version 1.1c. It provides background information about IP version 6, discusses threats and threat mitigation for IPv6, and provides specific directions and rationale for configuring Cisco IOS routers for secure IPv6 operation. Specific topic areas covered include basic IPv6 configuration, IPv6 packet filtering, IPv6 routing security, protection IPv6 traffic with IPSec, simple IPv6 rate limiting, and basic IPv6 firewall protections. |
| Known
Issues |
1. This document should not be applied by itself; for best results, apply the full NSA RSCG first, then apply the guidance in this document.
2. This document does not address security for IPv6 multicast.
3. Some of the security features described in this checklist are available only in particular releases of IOS.
4. Community consensus best practices have not yet emerged in some areas of IPv6 security
|
| Target
Audience |
Network administrators and network security officers are the primary audience for this configuration guide. Throughout the text the familiar pronoun “you” is used for guidance directed specifically to them. Most network administrators are responsible for managing the connections within their networks, and between their network and various other networks. Network security officers are usually responsible for selecting and deploying the assurance measures applied to their networks. For this audience, this guide provides security goals and guidance, along with specific examples of configuring Cisco IOS routers to meet those goals. In particular, this supplement is designed for managers of networks that support both IPv4 and IPv6.
|
| Target
Operational Environment |
Enterprise
wide distribution. |
| Checklist
Installation Tools |
|
| Rollback
Capability |
Not
Available. |
| Testing
Information |
The guidance in this document has undergone extensive lab testing, but only cursory operational testing. IOS versions used in testing included many releases of IOS 12.3, 12.3T, 12.4, and 12.4T. The most testing was performed on version 12.4. Hardware platforms used in testing: C3620, C3640, and C3725 |
| NIAP/CMVP
Status |
|
| Regulatory
Compliance |
No |
Comments,
Warnings, Disclaimer, Miscellaneous
|
This document is only a guide to recommended security settings for Internet Protocol version 6 (IPv6) routers, particularly routers running Cisco Systems Internet Operating System (IOS) versions 12.3 through 12.4 and 12.4T. It does not provide comprehensive guidance; the directions in this document should be used in conjunction with the NSA Router Security Configuration Guide 1.1c or later. The advice in this document cannot replace well-designed policy or sound judgment. This supplement does not address site-specific configuration issues. Care must be taken when implementing the security steps specified in this document. Ensure that all security steps and procedures chosen from this guide are thoroughly tested and reviewed prior to imposing them on an operational network. |
| Disclaimer |
SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| Product
Support |
|
| Submitting
Organization/Authors |
National
Security Agency |
| Point
of Contact |
SNAC.Guides@nsa.gov |
| Sponsor |
|
| Licensing |
Refer to the legal statement posted at:
http://www.nsa.gov/notices/notic00004.cfm?
Address=/snac/routers/I33-002R-06.pdf
|
| Checklist
Homepage |
http://www.nsa.gov/ia/ |
| Download
Package |
I33-002R-06.pdf |
| Integrity |
SHA1
(I33-002R-06.pdf) =
cf173c16642e7871bcabbb4b64c0054be708acd3
SHA256 (I33-002R-06.pdf) =
82df63e87955b1cdd5d0d602e74f8b800c5bbf2521
c718cb81442ad4da4c05a0 |
| Change
History |
|
| Dependency/Requirement |
Router Security Configuration Guide 1.1c (December 2005) |
| References |
CERT
(http://www.cert.org/). The Carnegie Mellon
University Computer Emergency Response Team
(CERT) maintains a web site about network vulnerabilities.
Many of the incident reports, advisories, and
tips are relevant to router security.
Cisco
Documentation (http://www.cisco.com/univercd/home/home.htm).
This is the root of the Cisco documentation
tree. From this page, you can find IOS software
documentation, tutorials, case studies, and
more.
Cisco
Press (http://www.ciscopress.com/). At the
web site of Cisco's publishing arm, you can
order a wide variety of books about Cisco
routers and related networking technologies.
Cisco
Security Technical Tips (http://www.cisco.com/warp/public/707/).
This page is the root of Cisco's security
area. From here, you can find Cisco security
advisories, information about security technologies
and more.
IETF
(http://www.ietf.org/, http://www.rfc-editor.org/).
The IETF is the standards body that defines
and maintains the protocol standards for the
Internet. Use these sites to look up protocol
standards and track emerging technologies
that are becoming standards.
Microsoft
(http://www.microsoft.com/, http://support.microsoft.com/support/).
Microsoft's site offers extensive information
about networking their products, and about
product vulnerabilities. This information
can often be helpful in configuring routers
that protect Microsoft-based networks.
|
| NIST
Identifier |
1096 |
|
|
|
NIST and the checklist submitter do not guarantee or warrant the checklist's
accuracy or completeness. NIST is not responsible for loss, damage, or
problems that may be caused by using the checklist.
|
