Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1699
Views
30
Helpful
4
Replies

Ping block is the best way for Security ?

Go to solution
MrBeginner
Spotlight
Spotlight

‎09-22-2022 08:46 PM

Hi ,

I noticed that some network disable the ping and some security engineer disable the ping in network. I also found some article that Disabling ICMP won’t increase security. What is the best practice ? If we enable ping , how to protect the attack like ping of death,icmp flood ,spoofing ,etc ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-22-2022 11:56 PM

@MrBeginner it depends, read this http://shouldiblockicmp.com/

There are ICMP specific attacks, use rate limiting (CoPP) to prevent the CPU being overwhelmed. For anti-spoofing, use uRPF.

 

View solution in original post

4 Replies 4

Go to solution
anboom
Cisco Employee
Cisco Employee

‎09-22-2022 09:40 PM

@MrBeginner, great post and thanks for asking this question that is very important to understand.

#1) the answer to this is, it depends. Network security is layered and complex so it depends on where you are using ping and trace. Here is a link and short summary from the ASA firewall perspective, which is protecting the internal traffic from the outside.  

ICMP Packet Filtering: ICMP is designed as an IP control protocol. As such, the messages it conveys can have far-reaching ramifications to the TCP and IP protocols in general. While the network troubleshooting tools ping and traceroute use ICMP, external ICMP connectivity is rarely needed for the proper operation of a network.

https://tools.cisco.com/security/center/resources/firewall_best_practices#27

Hope this helps! anboom

Go to solution
Kasun Bandara
VIP
VIP

‎09-22-2022 11:11 PM

Ping is just a tool to check availability/connectivity of node. disabling ping gives advantage to avoid random ping scans from anyone. but still there is other ways to check availability/connectivity of services. such as nmap scans, tcp scaning, etc.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Go to solution
Rob Ingram
VIP
VIP

‎09-22-2022 11:56 PM

@MrBeginner it depends, read this http://shouldiblockicmp.com/

There are ICMP specific attacks, use rate limiting (CoPP) to prevent the CPU being overwhelmed. For anti-spoofing, use uRPF.

 

Go to solution
MHM Cisco World
VIP
VIP

‎09-23-2022 07:04 AM

if you only need ICMP ping then allow it only and deny other ICMP message, 
1-319.png

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card