[unisog] Necessary ICMP traffic and the SANS/FBI top 20 Vulnerabilities
Asadoorian, Paul D
Paul_Asadoorian at brown.edu
Tue Jun 17 12:14:05 GMT 2003
I think the group has this one covered quite well, my only addition is
to drop fragmented ICMP packets, in IOS you can do the following:
deny icmp any any log-input fragments
Paul Asadoorian, GCIA
115 Waterman St.
Providence, RI 02912
PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE 927F C946 9174 41DC 7A4F
From: Mayne, Jim [mailto:J.Mayne at tcu.edu]
Sent: Monday, June 16, 2003 10:26 AM
To: unisog at sans.org
Subject: [unisog] Necessary ICMP traffic and the SANS/FBI top 20
In the SANS/FBI top 20 vulnerabilities they suggest blocking incoming
ICMP echo requests and outgoing replies as well as blocking outgoing
destination unreachable (except for fragmentation needed) messages.
Given all the other ICMP messages available to intruders I am curious if
a better approach would not be to allow only fragmentation needed (3-4)
and source quench in/out of your network. It seems that any others
should only be passing between nodes inside your network.
Is this not true?
Sr. Network Engineer
Texas Christian University
j.mayne at tcu.edu
More information about the unisog