cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
120
Views
30
Helpful
4
Replies

Ping block is the best way for Security ?

MrBeginner
Enthusiast
Enthusiast

Hi ,

I noticed that some network disable the ping and some security engineer disable the ping in network. I also found some article that Disabling ICMP won’t increase security. What is the best practice ? If we enable ping , how to protect the attack like ping of death,icmp flood ,spoofing ,etc ?

4 Replies 4

anboom
Cisco Employee
Cisco Employee

@MrBeginner, great post and thanks for asking this question that is very important to understand.

#1) the answer to this is, it depends. Network security is layered and complex so it depends on where you are using ping and trace. Here is a link and short summary from the ASA firewall perspective, which is protecting the internal traffic from the outside.  

ICMP Packet Filtering: ICMP is designed as an IP control protocol. As such, the messages it conveys can have far-reaching ramifications to the TCP and IP protocols in general. While the network troubleshooting tools ping and traceroute use ICMP, external ICMP connectivity is rarely needed for the proper operation of a network.

https://tools.cisco.com/security/center/resources/firewall_best_practices#27

Hope this helps! anboom

Kasun Bandara
VIP Advocate VIP Advocate
VIP Advocate

Ping is just a tool to check availability/connectivity of node. disabling ping gives advantage to avoid random ping scans from anyone. but still there is other ways to check availability/connectivity of services. such as nmap scans, tcp scaning, etc.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@MrBeginner it depends, read this http://shouldiblockicmp.com/

There are ICMP specific attacks, use rate limiting (CoPP) to prevent the CPU being overwhelmed. For anti-spoofing, use uRPF.

 

MHM Cisco World
Advisor
Advisor

if you only need ICMP ping then allow it only and deny other ICMP message, 
1-319.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers