The Dell OS10 Switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269798	SRG-APP-000435-NDM-000315	OS10-NDM-000800	SV-269798r1051779_rule	2024-12-11	1

Description
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. The security safeguards cannot be defined at the DOD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).

Description

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. The security safeguards cannot be defined at the DOD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).

ℹ️ Check
Determine if the OS10 Switch protects against or limits the effects of all known types of DoS attacks by employing organization-defined security safeguards. Dell OS10 Switches provide DoS protection via control plane ACLs and Control Plane Policing (CoPP). Use the show control-plane info command to verify that the CoPP queue rate limits are appropriate to implement the organization-defined security safeguards: OS10# show control-plane info Queue Min Rate Limit(in pps) Max Rate Limit(in pps) Protocols 0 600 600 ISCSI UNKNOWN UNICAST 1 1000 1000 OPEN_FLOW SFLOW 2 400 400 IGMP PIM 3 600 1000 VLT NDS 4 500 1000 IPV6_ICMP IPV4_ICMP 5 500 1000 ICMPV6_RS ICMPV6_NS ICMPV6_RA ICMPV6_NA 6 500 1000 ARP_REQ SERVICEABILITY 7 500 1000 ARP_RESP 8 500 500 SSH TELNET TACACS NTP FTP 9 600 600 FCOE NVME 10 600 1000 LACP 11 400 400 RSTP PVST MSTP 12 500 500 DOT1X LLDP FEFD 13 600 1000 IPV6_OSPF IPV4_OSPF 14 600 1000 OSPF_HELLO 15 600 1000 BGP 16 500 500 IPV6_DHCP IPV4_DHCP 17 600 1000 VRRP 18 700 700 BFD 19 1400 2000 REMOTE CPS 20 300 300 MCAST DATA 21 100 100 ACL LOGGING 22 300 300 MCAST KNOWN DATA 23 100 100 PTP 24 100 100 PORT_SECURITY OS10# Use the show running-configuration class-map and policy-map to review configured CoPP policies: OS10# show running-configuration class-map ! class-map type application class-iscsi ! class-map type control-plane example-copp-class-map-name OS10# OS10# show running-configuration policy-map ! policy-map type application policy-iscsi ! policy-map type control-plane example-copp-policy-map-name ! class example-copp-class-map-name set qos-group 2 police cir 100 pir 100 Examine the interface configuration for the control plane ACLs applied to the traffic destined to the control plane from the OOBM management port or front panel data ports: OS10# show running-configuration control-plane ! control-plane ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in ip access-group MGMT_TRAFFIC_FROM_DATA data in Review the control plane ACLs and verify traffic is limited appropriately: OS10# show running-configuration access-list ! ip access-list MGMT_TRAFFIC_FROM_OOBM seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log ! ip access-list MGMT_TRAFFIC_FROM_DATA seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log If the OS10 Switch does not protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards, this is a finding.

ℹ️ Check

Determine if the OS10 Switch protects against or limits the effects of all known types of DoS attacks by employing organization-defined security safeguards. Dell OS10 Switches provide DoS protection via control plane ACLs and Control Plane Policing (CoPP). Use the show control-plane info command to verify that the CoPP queue rate limits are appropriate to implement the organization-defined security safeguards: OS10# show control-plane info Queue Min Rate Limit(in pps) Max Rate Limit(in pps) Protocols 0 600 600 ISCSI UNKNOWN UNICAST 1 1000 1000 OPEN_FLOW SFLOW 2 400 400 IGMP PIM 3 600 1000 VLT NDS 4 500 1000 IPV6_ICMP IPV4_ICMP 5 500 1000 ICMPV6_RS ICMPV6_NS ICMPV6_RA ICMPV6_NA 6 500 1000 ARP_REQ SERVICEABILITY 7 500 1000 ARP_RESP 8 500 500 SSH TELNET TACACS NTP FTP 9 600 600 FCOE NVME 10 600 1000 LACP 11 400 400 RSTP PVST MSTP 12 500 500 DOT1X LLDP FEFD 13 600 1000 IPV6_OSPF IPV4_OSPF 14 600 1000 OSPF_HELLO 15 600 1000 BGP 16 500 500 IPV6_DHCP IPV4_DHCP 17 600 1000 VRRP 18 700 700 BFD 19 1400 2000 REMOTE CPS 20 300 300 MCAST DATA 21 100 100 ACL LOGGING 22 300 300 MCAST KNOWN DATA 23 100 100 PTP 24 100 100 PORT_SECURITY OS10# Use the show running-configuration class-map and policy-map to review configured CoPP policies: OS10# show running-configuration class-map ! class-map type application class-iscsi ! class-map type control-plane example-copp-class-map-name OS10# OS10# show running-configuration policy-map ! policy-map type application policy-iscsi ! policy-map type control-plane example-copp-policy-map-name ! class example-copp-class-map-name set qos-group 2 police cir 100 pir 100 Examine the interface configuration for the control plane ACLs applied to the traffic destined to the control plane from the OOBM management port or front panel data ports: OS10# show running-configuration control-plane ! control-plane ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in ip access-group MGMT_TRAFFIC_FROM_DATA data in Review the control plane ACLs and verify traffic is limited appropriately: OS10# show running-configuration access-list ! ip access-list MGMT_TRAFFIC_FROM_OOBM seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log ! ip access-list MGMT_TRAFFIC_FROM_DATA seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log If the OS10 Switch does not protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards, this is a finding.

✔️ Fix
Configure the network device to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards. Create an appropriate QoS policy for CoPP: OS10(config)# class-map type control-plane example-copp-class-map-name OS10(config-cmap-control-plane)# exit OS10(config)# policy-map type control-plane example-copp-policy-map-name OS10(config-pmap-control-plane)# class example-copp-class-map-name OS10(config-pmap-c)# set qos-group 2 OS10(config-pmap-c)# police cir 100 pir 100 Assign the control-plane service-policy: OS10(config)# control-plane OS10(conf-control-plane)# service-policy input example-copp-policy-map-name Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM management port and from the front panel data ports: OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log Apply the ACLs to the ingress of the control-plane: OS10(config)# control-plane OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in

✔️ Fix

Configure the network device to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards. Create an appropriate QoS policy for CoPP: OS10(config)# class-map type control-plane example-copp-class-map-name OS10(config-cmap-control-plane)# exit OS10(config)# policy-map type control-plane example-copp-policy-map-name OS10(config-pmap-control-plane)# class example-copp-class-map-name OS10(config-pmap-c)# set qos-group 2 OS10(config-pmap-c)# police cir 100 pir 100 Assign the control-plane service-policy: OS10(config)# control-plane OS10(conf-control-plane)# service-policy input example-copp-policy-map-name Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM management port and from the front panel data ports: OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log Apply the ACLs to the ingress of the control-plane: OS10(config)# control-plane OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in