Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
1
Replies

SEcurity Best Practise

mcardell
Cisco Employee
Cisco Employee

‎05-14-2004 08:50 AM - edited ‎03-09-2019 07:23 AM

Good morning all,

Got a questions about the security.

Should my router in my internal network (protected by a Firewall from external networks) deny ICMP packets with ACL?

I am asking what is the best practise from the security point of view to manage the network.

Thanks

Matteo

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎05-14-2004 12:46 PM

I would block icmp messages where ever possible. There may be cases where you have to permit icmp - path mtu discovery relies upon the receipt of icmp unreachable messages (only type 3 code 4 - fragmentation needed messages) and some snmp managers will ususally require it to tell if a link is up or down outside of snmp traps.

How are you managing the routers now? Via an Out-Of-Band (OOB) network or is your management station in-band. If you need to allow icmp only allow the echo, echo-reply and unreachable messages. I would use an acl to only accept echo and echo reply from mgmt. stations, and I would use a rate-limitation to prevent icmp from tying up too much resources (cpu and bandwidth).

There may be a way to restrict the unreachable message to the code=4 value, instead of all unreachables. This way if your router has other acl entries, it will not send a admin prohibited code of an unreachable type. I am not sure how to code it. This way path mtu discovery can still work.

I hope this helps.

0 Helpful
Customers Also Viewed These Support Documents