[unisog] Necessary ICMP traffic and the SANS/FBI top 20 Vulnerabilities

Mayne, Jim J.Mayne at tcu.edu
Tue Jun 17 12:59:52 GMT 2003


Thanks for all the replies to my question. It has been a very informative discussion.

Jim

Jim Mayne
Sr. Network Engineer
Texas Christian University
j.mayne at tcu.edu
(817) 257-6843


-----Original Message-----
From: Asadoorian, Paul D [mailto:Paul_Asadoorian at brown.edu]
Sent: Tuesday, June 17, 2003 7:14 AM
To: Mayne, Jim; unisog at sans.org
Subject: RE: [unisog] Necessary ICMP traffic and the SANS/FBI top 20
Vulnerabilities


I think the group has this one covered quite well, my only addition is
to drop fragmented ICMP packets, in IOS you can do the following:

 deny   icmp any any log-input fragments

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912
401.863.7553

PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
Web: http://www.pauldotcom.com 
 

-----Original Message-----
From: Mayne, Jim [mailto:J.Mayne at tcu.edu] 
Sent: Monday, June 16, 2003 10:26 AM
To: unisog at sans.org
Subject: [unisog] Necessary ICMP traffic and the SANS/FBI top 20
Vulnerabilities



In the SANS/FBI top 20 vulnerabilities they suggest blocking incoming
ICMP echo requests and outgoing replies as well as blocking outgoing
destination unreachable (except for fragmentation needed) messages.

Given all the other ICMP messages available to intruders I am curious if
a better approach would not be to allow only fragmentation needed (3-4)
and source quench in/out of your network. It seems that any others
should only be passing between nodes inside your network. 

Is this not true?

Thanks,

Jim Mayne
Sr. Network Engineer
Texas Christian University
j.mayne at tcu.edu
(817) 257-6843



More information about the unisog mailing list