[unisog] Necessary ICMP traffic and the SANS/FBI top 20 Vulnerabilities

Asadoorian, Paul D Paul_Asadoorian at brown.edu
Tue Jun 17 12:14:05 GMT 2003

I think the group has this one covered quite well, my only addition is
to drop fragmented ICMP packets, in IOS you can do the following:

 deny   icmp any any log-input fragments

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912

PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
Web: http://www.pauldotcom.com 

-----Original Message-----
From: Mayne, Jim [mailto:J.Mayne at tcu.edu] 
Sent: Monday, June 16, 2003 10:26 AM
To: unisog at sans.org
Subject: [unisog] Necessary ICMP traffic and the SANS/FBI top 20

In the SANS/FBI top 20 vulnerabilities they suggest blocking incoming
ICMP echo requests and outgoing replies as well as blocking outgoing
destination unreachable (except for fragmentation needed) messages.

Given all the other ICMP messages available to intruders I am curious if
a better approach would not be to allow only fragmentation needed (3-4)
and source quench in/out of your network. It seems that any others
should only be passing between nodes inside your network. 

Is this not true?


Jim Mayne
Sr. Network Engineer
Texas Christian University
j.mayne at tcu.edu
(817) 257-6843

More information about the unisog mailing list